Hi All,
I'm creating a tutorial for IPSEC Strongswan5 VPN and got to the point where I can connect from my android phone SGS3 with Strongswan app to the router and can ping from both sides.
Need some help getting actual data through as that doesn't work yet.
This is what I got so far.
Some help would be great.
#install entware
- Install strongswan
opkg install strongswan-minimal
opkg install strongswan-mod-af-alg
opkg install strongswan-mod-gcrypt
opkg install strongswan-mod-openssl
opkg install strongswan-mod-pem
opkg install strongswan-mod-pkcs8
opkg install strongswan-mod-pkcs1
opkg install strongswan-mod-md4
opkg install strongswan-mod-md5
opkg install strongswan-mod-sha2
opkg install strongswan-mod-blowfish
opkg install strongswan-mod-des
opkg install strongswan-mod-pkcs11
opkg install strongswan-mod-test-vectors
opkg install strongswan-mod-curl
opkg install strongswan-mod-ldap
opkg install strongswan-mod-mysql
opkg install strongswan-mod-sqlite
opkg install strongswan-mod-revocation
opkg install strongswan-mod-constraints
opkg install strongswan-mod-pgp
opkg install strongswan-mod-dnskey
opkg install strongswan-mod-fips-prf
opkg install strongswan-mod-agent
opkg install strongswan-mod-cmac
opkg install strongswan-mod-ctr
opkg install strongswan-mod-ccm
opkg install strongswan-mod-gcm
opkg install strongswan-mod-attr
opkg install strongswan-mod-attr-sql
opkg install strongswan-mod-load-tester
opkg install strongswan-mod-kernel-pfkey
opkg install strongswan-mod-kernel-klips
opkg install strongswan-mod-resolve
opkg install strongswan-mod-socket-dynamic
opkg install strongswan-mod-farp
opkg install strongswan-mod-smp
opkg install strongswan-mod-sql
opkg install strongswan-mod-eap-identity
opkg install strongswan-mod-eap-md5
opkg install strongswan-mod-eap-mschapv2
opkg install strongswan-mod-xauth-generic
opkg install strongswan-mod-xauth-eap
opkg install strongswan-mod-dhcp
opkg install strongswan-mod-ha
opkg install strongswan-mod-whitelist
opkg install strongswan-mod-led
opkg install strongswan-mod-duplicheck
opkg install strongswan-mod-coupling
opkg install strongswan-mod-addrblock
opkg install strongswan-mod-unity
- Install nano to edit the config files etc….
opkg install nano
- Download the extras from the shibby build you are on.
mkdir /opt/ipsecmod and extract all the ipsec modules from the in that folder
- This will open up the port automaticly on startup
mkdir /opt/etc/config
nano /opt/etc/config/vpn.fire
- Paste the two line in there and save
iptables -I INPUT -j ACCEPT -p udp —dport 500
iptables -I INPUT -j ACCEPT -p udp —dport 4500
- Create a script to load the modules
nano /opt/ipsecmod/ldipsecmod
- Paste the following lines in there
cd /opt/ipsecmod/
insmod aes.ko
insmod af_key.ko
insmod ah4.ko
insmod blowfish.ko
insmod cast5.ko
insmod crypto_null.ko
insmod des.ko
insmod esp4.ko
insmod ipcomp.ko
insmod md4.ko
insmod md5.ko
insmod serpent.ko
insmod sha256.ko
insmod sha512.ko
insmod tea.ko
insmod twofish_common.ko
insmod twofish.ko
insmod xcbc.ko
insmod xfrm4_mode_beet.ko
insmod xfrm4_mode_transport.ko
insmod xfrm4_mode_tunnel.ko
insmod xfrm4_tunnel.ko
insmod xfrm_user.ko
- Save the file
- Make the file executable
chmod 777 /opt/ipsecmod/ldipsecmod
- Goto the routers web interface -> administration -> scripts -> init tab
sleep 15
sh /opt/ipsecmod/ldipsecmod
sleep 5
ipsec start
- Generate keys
cd /opt/etc/ipsec.d
ipsec pki —gen > caKey.der
ipsec pki —self —in caKey.der —dn "C=CH, O=strongSwan, CN=strongSwan CA" —ca > caCert.der
ipsec pki —gen > peerKey.der
###Beware here of the —san option, it depends on how you connect to the vpn server for instance if you use the ip or dns name to connect to your router.
### If you don't change it, the connection won't work.
ipsec pki —pub —in peerKey.der | ipsec pki —issue —cacert caCert.der —cakey caKey.der —dn "C=CH, O=strongSwan, CN=peer" —san your dns or ip > peerCert.der
mv peerKey.der /opt/etc/ipsec.d/private/peerKey.der
mv peerCert.der /opt/etc/ipsec.d/certs/peerCert.der
mv caCert.der /opt/etc/ipsec.d/cacerts/caCert.der
- Now we need to move the caKey.der out of the location as its not safe to keep it there.
- Edit the ipsec.conf
nano /opt/etc/ipsec.conf
- Paste the config
- ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=yes
conn ikev2
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%defaultroute
leftfirewall=yes
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=peerCert.der
leftid="C=CH, O=strongSwan, CN=peer"
right=%any
rightsourceip=%dhcp
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
- Save the config
- Edit the strongswan.conf
nano /opt/etc/strongswan.conf
#### add the dns lines
- strongswan.conf - strongSwan configuration file
- strongswan.conf - strongSwan configuration file
- strongswan.conf - strongSwan configuration file
charon {
plugins { dhcp {
force_server_address = yes
server = 192.168.10.1
identity_lease = yes
}
}
}
# number of worker threads in charon
threads = 16
dns1 = 8.8.8.8
dns2 = 8.8.4.4
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
#### Edit the ipsec.secrets
nano /opt/etc/ipsec.secrets
- /etc/ipsec.secrets - strongSwan IPsec secrets file
user : EAP "password"
#### change were needed like "user" and "password" and save
Reboot your rooter and install the CA cert on the device you are running from configure the connection and connect.