Hey guys,
does anyone know how to setup firewall for IKEv2 with strongswan? I found topic here on old Turris forum but the firewall part is not solved there.
I can connect to VPN and get IP from internal DHCP but traffic still ends up on WAN, not LAN. Previously the strongswan installation automatically created Ipsec0 but not anymore so I have no idea how to create it so any help would be very appreciated
config rule
option src 'wanâ
option proto 'espâ
option target âACCEPTâ
I donât use a special network interface with strongswan. It installs policies in the kernel that routes traffic based on the traffic selectors in your configuration. This makes it very efficient because it is all done in kernel space. The Omnia has hardware accelerated encryption which the kernel uses so it is very fast.
To install strongswan, I used:
opkg install strongswan-full kmod-crypto-echainiv
I added these customer firewall rules:
ptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A postrouting_wan_rule -s 10.0.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A postrouting_wan_rule -s 10.0.3.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
My /etc/ipsec.conf file has tunnels to various remote servers and âroad warriorâ connections for my cell phone and lap top. I could provide samples of those.
I edited parts of my file to show examples. As you can see the âroad warriorâ connections include 0.0.0.0/0 (the Internet) in their traffic selector so all their traffic comes through the home connection. The server on the other hand uses its own Internet connection for everything but traffic to my LAN.
ipsec.conf - strongSwan IPsec configuration file
basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
You can also see that I use X509 certificates for authentication. I created a certificate authority and used it to create and sign certificates for each device. This stuff then has to go into /etc/ipsec.d. The ca cert goes into /etc/ipsec.d/cacerts and the local certs and private keys go into /etc/ipsec.d/certs and private.
You also need (at least I have them) entries in /etc/ipsec.secrets like this:
You may also notice I used home.example.com and home.dyn.example.com although I donât really need two different things. The server doesnât need to know my home IP address because I always connect to it.
On the other hand the âRoad Warriorsâ need to find my IP address so I publish the dynamic address in DNS under home.dyn and I made a separate certificate for that domain name. Again, I didnât have to do that, it helps me remember what I am doing.
Did my answer help solve your problem? I didnât speak to firewall settings because I donât think that was the problem but then I donât really know what your use case was.
Thank you very much Bill but unfortunately it did not help. I tried to add the first iptables line but did not work. What do you have in your strongswan.conf file? Mine is:
charon {
dns1 = 192.168.1.1
load_modular = yes
threads = 16
plugins {
include strongswan.d/charon/*.conf
dhcp {
force_server_address = yes
server = 192.168.1.1
identity_lease = yes
}
}
}
and ipsec.conf is:
config setup
strictcrlpolicy=no
uniqueids=no
Please post your log output. Nobody can help you with so less information.
Routing enabled?
Firewall settings?
Installed all packages what you need for ipsec?
Certs at right Place?
Correct networks inside config?
Normally you can See the connection in the syslog.
The first three rules setup the forwarding, and the next four punch the firewall in order to be able to establish the tunnel.
Note that the forwarding is only between vpn and lan; not vpn and wan. It is intended only for accessing the internal network from outside, not for tunneling traffic intended for Internet.
I do have ipsec interface though:
/etc/config/network
config interface 'ipsec'
option proto 'none'
option ifname 'ipsec0'
option auto '1'
and I never managed to make the hw encryption work (it was buggy and caused the entire router to reboot).
Ninja edit: in order for it to work, you need the strongswan-mod-kernel-libipsec package. Iâm not sure whether it is installed as a part of strongswan full, or whether you need to install it separately.
Iâve finally been able to get strongswan to work. Iâve shared my step-by-step recipe (guide) . Itâs available as a separate post at the following URL: