TomatoUSB

Hi All,

I'm creating a tutorial for IPSEC Strongswan5 VPN and got to the point where I can connect from my android phone SGS3 with Strongswan app to the router and can ping from both sides.
Need some help getting actual data through as that doesn't work yet.

This is what I got so far.
Some help would be great.

#install entware

1. Install strongswan

opkg install strongswan-minimal
opkg install strongswan-mod-af-alg
opkg install strongswan-mod-gcrypt
opkg install strongswan-mod-openssl
opkg install strongswan-mod-pem
opkg install strongswan-mod-pkcs8
opkg install strongswan-mod-pkcs1
opkg install strongswan-mod-md4
opkg install strongswan-mod-md5
opkg install strongswan-mod-sha2
opkg install strongswan-mod-blowfish
opkg install strongswan-mod-des
opkg install strongswan-mod-pkcs11
opkg install strongswan-mod-test-vectors
opkg install strongswan-mod-curl
opkg install strongswan-mod-ldap
opkg install strongswan-mod-mysql
opkg install strongswan-mod-sqlite
opkg install strongswan-mod-revocation
opkg install strongswan-mod-constraints
opkg install strongswan-mod-pgp
opkg install strongswan-mod-dnskey
opkg install strongswan-mod-fips-prf
opkg install strongswan-mod-agent
opkg install strongswan-mod-cmac
opkg install strongswan-mod-ctr
opkg install strongswan-mod-ccm
opkg install strongswan-mod-gcm
opkg install strongswan-mod-attr
opkg install strongswan-mod-attr-sql
opkg install strongswan-mod-load-tester
opkg install strongswan-mod-kernel-pfkey
opkg install strongswan-mod-kernel-klips
opkg install strongswan-mod-resolve
opkg install strongswan-mod-socket-dynamic
opkg install strongswan-mod-farp
opkg install strongswan-mod-smp
opkg install strongswan-mod-sql
opkg install strongswan-mod-eap-identity
opkg install strongswan-mod-eap-md5
opkg install strongswan-mod-eap-mschapv2
opkg install strongswan-mod-xauth-generic
opkg install strongswan-mod-xauth-eap
opkg install strongswan-mod-dhcp
opkg install strongswan-mod-ha
opkg install strongswan-mod-whitelist
opkg install strongswan-mod-led
opkg install strongswan-mod-duplicheck
opkg install strongswan-mod-coupling
opkg install strongswan-mod-addrblock
opkg install strongswan-mod-unity

1. Install nano to edit the config files etc….

opkg install nano

1. Download the extras from the shibby build you are on.

mkdir /opt/ipsecmod and extract all the ipsec modules from the in that folder

1. This will open up the port automaticly on startup

mkdir /opt/etc/config
nano /opt/etc/config/vpn.fire

1. Paste the two line in there and save

iptables -I INPUT -j ACCEPT -p udp —dport 500

iptables -I INPUT -j ACCEPT -p udp —dport 4500

1. Create a script to load the modules

nano /opt/ipsecmod/ldipsecmod

1. Paste the following lines in there

cd /opt/ipsecmod/
insmod aes.ko
insmod af_key.ko
insmod ah4.ko
insmod blowfish.ko
insmod cast5.ko
insmod crypto_null.ko
insmod des.ko
insmod esp4.ko
insmod ipcomp.ko
insmod md4.ko
insmod md5.ko
insmod serpent.ko
insmod sha256.ko
insmod sha512.ko
insmod tea.ko
insmod twofish_common.ko
insmod twofish.ko
insmod xcbc.ko
insmod xfrm4_mode_beet.ko
insmod xfrm4_mode_transport.ko
insmod xfrm4_mode_tunnel.ko
insmod xfrm4_tunnel.ko
insmod xfrm_user.ko

1. Save the file

1. Make the file executable

chmod 777 /opt/ipsecmod/ldipsecmod

1. Goto the routers web interface -> administration -> scripts -> init tab

sleep 15
sh /opt/ipsecmod/ldipsecmod
sleep 5
ipsec start

1. Generate keys

cd /opt/etc/ipsec.d
ipsec pki —gen > caKey.der
ipsec pki —self —in caKey.der —dn "C=CH, O=strongSwan, CN=strongSwan CA" —ca > caCert.der
ipsec pki —gen > peerKey.der

###Beware here of the —san option, it depends on how you connect to the vpn server for instance if you use the ip or dns name to connect to your router.
### If you don't change it, the connection won't work.

ipsec pki —pub —in peerKey.der | ipsec pki —issue —cacert caCert.der —cakey caKey.der —dn "C=CH, O=strongSwan, CN=peer" —san your dns or ip > peerCert.der

mv peerKey.der /opt/etc/ipsec.d/private/peerKey.der
mv peerCert.der /opt/etc/ipsec.d/certs/peerCert.der
mv caCert.der /opt/etc/ipsec.d/cacerts/caCert.der

1. Now we need to move the caKey.der out of the location as its not safe to keep it there.

1. Edit the ipsec.conf

nano /opt/etc/ipsec.conf

1. Paste the config

1. ipsec.conf - strongSwan IPsec configuration file

config setup
uniqueids=yes

conn ikev2
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%defaultroute
leftfirewall=yes
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=peerCert.der
leftid="C=CH, O=strongSwan, CN=peer"
right=%any
rightsourceip=%dhcp
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add

1. Save the config

1. Edit the strongswan.conf

nano /opt/etc/strongswan.conf

#### add the dns lines

1. strongswan.conf - strongSwan configuration file

1. strongswan.conf - strongSwan configuration file
2. strongswan.conf - strongSwan configuration file

charon {
plugins { dhcp {
force_server_address = yes
server = 192.168.10.1
identity_lease = yes
}
}
}
# number of worker threads in charon
threads = 16
dns1 = 8.8.8.8
dns2 = 8.8.4.4

libstrongswan {

# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}

#### Edit the ipsec.secrets

nano /opt/etc/ipsec.secrets

1. /etc/ipsec.secrets - strongSwan IPsec secrets file

user : EAP "password"

#### change were needed like "user" and "password" and save

Reboot your rooter and install the CA cert on the device you are running from configure the connection and connect.

Can you help explain the use case for this? When would you want to use something like this? Thanks

I need to clean it up a bit as the copy and paste didnt work to well.

This would be a more universal way of vpn and because of IKEv2 and use of mobike excellent for mobiles.
Mobiles switch networks al the time and with that technology you won't lose your connection to your vpn.
Also this would make a excellent replacement for openvpn if incorporated into the gui.
Shibby asked on the other forum for a guide/tutorial so he can get it into the gui so thats why I'm making it.
I'm very close of getting it working right but not there yet so I'm reaching out here to see if someone already has it workingand can help me out on the missing peace.

Yeah, it would be nice to get a GUI similar to the OpenVPN gui into TomatoUSB.

Theoretically, I should be able to connect with my iPhone built in IPSec VPN client correct?

Correct and also the standard VPN client from Windows 7 works with Strongswan.

For others to follow your instruction, kindly provide also your FW version. I know that MEGA and AIO has IPSEC built-in already but not complete and no-GUI.

Beware this gets it running but its not completely working yet.

It still needs some work on the firewall or firewall policy I think the get traffic through as of the moment I can only ping from both sides.

I'm using the shibby 108 firmware on a E3000 bigvpn and mounted a 1TB drive in /opt

To get a better view of the configs look at the forum here as when pasted the instructions it got a but screwdup .

http://www.linksysinfo.org/index.php?threads/tomato-and-ipsec-why-not.38344/

Sounds interesting. I'll give it a try this week and will report back.

Hi All,

thanks alot for the effort for making this possible!

i am running into the following issues when starting IPSEC and genarating Keys:
Entware installed.
root@R01:/opt/etc/ipsec.d# ipsec pki —gen > caKey.der
plugin 'pkcs7' failed to load: File not found
openssl FIPS mode(0) unavailable
opening AF_ALG socket failed: Address family not supported by protocol
opening AF_ALG socket failed: Address family not supported by protocol
opening AF_ALG socket failed: Address family not supported by protocol
opening AF_ALG socket failed: Address family not supported by protocol
root@R01:/opt/etc/ipsec.d# ipsec restart
Stopping strongSwan IPsec…
Starting strongSwan 5.0.4 IPsec [starter]…
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ah4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/esp4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ipcomp.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/xfrm/xfrm_user.ko': File exists

I am going through the tutorial above from Xerxist

please help me as I do not know what is going on. I am a NOOB :)

Thanks in advance.