StrongSwan IPSec IKEv2 VPN with LEDE Reboot 17.01.4

You’ve managed to find this tutorial before my commentary or other helpful notes have been added. This means it hasn’t been fully tested. Hopefully you’ll be able to reproduce the same results, but just because I have a working setup doesn’t mean you will. Think before you type; even more so before hitting enter. If you decide to follow this guide – please leave a comment with your feedback, questions, fixes or anything else that could be help others.

strongSwan is an OpenSource IPsec implementation. It was originally based on the discontinued FreeS/WAN project and the X.509 patch that we developed. In order to have a stable IPsec platform to base the extensions of the X.509 capability on, we decided to launch the strongSwan project in 2005.

Since then a new IKE daemon has been written in a modern object-oriented coding style so that the current code base does not share code with its ancestor anymore. Initially that daemon only supported IKEv2, while IKEv1 was handled by an extended version of FreeS/WAN’s pluto daemon. But because adoption of IKEv2 by other vendors took longer than anticipated support for IKEv1 was added to the new daemon with strongSwan 5.0.0.

strongSwan originally was designed for Linux, but has since been ported to Android, FreeBSD, macOS, Windows and many other platforms.

Install  strongSwan with opkg.

opkg update && opkg install strongswan-full

Make your our private root certificate authority and server certificate.

cd /etc/ipsec.d/

ipsec pki --gen --type rsa --size 4096 --outform pem \
    > private/LEDE_Root_CA.key
chmod 600 private/LEDE_Root_CA.key
ipsec pki --self --ca \
    --lifetime 3650 \
    --in private/LEDE_Root_CA.key \
    --type rsa \
    --dn "C=DE, O=LEDE Project, CN=LEDE Root certAuthority" \
    --outform pem \
    > cacerts/LEDE_Root_CA.crt

ipsec pki --gen --type rsa --size 4096 --outform pem \
    > private/server.example.com.key
chmod 600 private/server.example.com.key
ipsec pki --pub --in private/server.example.com.key --type rsa | \
    ipsec pki --issue --lifetime 1825 \
    --cacert cacerts/LEDE_Root_CA.crt \
    --cakey private/LEDE_Root_CA.key \
    --dn "C=US, OU=Domain Validated, CN=server.example.com" \
    --san "server.example.com" \
    --san "lede.lan" \
    --san "lede.local" \
    --san "lede.private" \
    --flag serverAuth --flag ikeIntermediate \s
    --outform pem > certs/server.example.com.crt

Validate your newly created certificates.

ipsec pki --print --in /etc/ipsec.d/cacerts/LEDE_Root_CA.crt
ipsec pki --print --in /etc/ipsec.d/certs/server.example.com.crt

Edit /etc/strongswan.conf with your favorite text editor.

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    dns1 = 192.168.1.1
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
        dhcp {
            server = 192.168.1.1
            force_server_address = yes
            identity_lease = yes
        }
    }
}
# include strongswan.d/*.conf

Edit /etc/ipsec.conf with your favorite text editor.

# ipsec.conf - strongSwan IPsec configuration file

config setup
	strictcrlpolicy=no
	uniqueids=yes

conn rw-base
	fragmentation=yes
	dpdaction=clear
	dpdtimeout=120s
	dpddelay=30s
	compress=yes

conn rw-config
	also=rw-base
	rightsourceip=%dhcp
	rightdns=192.168.1.1
	leftsubnet=0.0.0.0/0
	leftid=@server.example.com
	leftcert=server.example.com.crt
	reauth=no
	rekey=no
	ike=aes256-sha256-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
	esp=aes256-sha256,aes256-sha1,3des-sha1!
	leftsendcert=always

conn rw-local-network
	also=rw-config
	leftfirewall=yes
	lefthostaccess=yes

conn ikev2-eap-mschapv2
	also=rw-local-network
	keyexchange=ikev2
	rightauth=eap-mschapv2
	eap_identity=%identity
	auto=add

Edit /etc/ipsec.secrets with your favorite text editor.

# /etc/ipsec.secrets - strongSwan IPsec secrets file

server.example.com : RSA server.example.com.key

Username1 : EAP "Password"
Username2 : EAP "Password"

Edit /etc/config/firewall with your favorite text editor.

config rule
	option name 'Allow-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option proto 'udp'
	option dest_port '500'
	option target 'ACCEPT'

config rule
	option name 'Allow-IKEv2'
	option src 'wan'
	option proto 'udp'
	option dest_port '4500'
	option target 'ACCEPT'

config rule
	option name 'Allow-AH'
	option src 'wan'
	option proto 'ah'
	option target 'ACCEPT'

Restart the firewall and strongSwan to effect changes. Check the status of strongSwan to ensure it has started properly.

/etc/init.d/firewall reload
ipsec restart
ipsec statusall

Make a backup of the root certificate.

cp /etc/ipsec.d/cacerts/LEDE_Root_CA.crt /root/.

The recently generated strongSwan server certificate will work perfect with LuCi. This next step is optional and requires the luci-ssl package be installed. Make sure the LEDE_Root_CA.crt is installed and trusted on your connecting device.

rm /etc/uhttpd.key && rm /etc/uhttpd.crt
cp private/server.example.com.key /etc/uhttpd.key
cp certs/server.example.com.crt /etc/uhttpd.crt
/etc/init.d/uhttpd restart
Advertisements

4 thoughts on “StrongSwan IPSec IKEv2 VPN with LEDE Reboot 17.01.4

  1. Thank you for the extra effort! But… After a point ….uhttpd restart is missing.
    What I missed? I tried to connect to my new vpn server from the internet with username and password (Username1/Password) without any success. I know, I’m a newcomer… But I stuck at this point. How can I conf the vpn client on mac/win? please?

  2. Hi Robert,

    I’ve used your guide to setup strongswan on an lede router with a PPOE wan connection. I can bring up the VPN and connect to it (from a Windows 8 box).

    From the client side I have a problem however in that HTTPS doesn’t work (SSH and HTTP are fine).

    Any HTTPS connection across the VPN (either to a host on the router’s local network or out to a remote web server) fails in firefox with SEC_ERROR_UNKNOWN_ISSUER.

    Any idea on the source of this problem?

    Cheers,
    Dave

  3. To get routing working correctly for me (using masqueraded PPPOE wan) I needed to add the following to /etc/firewall.user

    {code}
    iptables -t nat -A postrouting_wan_rule -s 192.168.0.130/32 -m policy –dir out –pol ipsec -j ACCEPT
    iptables -t nat -A prerouting_wan_rule -m policy –dir in –pol ipsec -j ACCEPT
    iptables -t nat -A postrouting_wan_rule -m policy –dir out –pol ipsec -j ACCEPT
    iptables -A forwarding_rule -m policy –dir in –pol ipsec -m conntrack –ctstate NEW -j zone_vpn_forward
    iptables -A input_wan_rule -m policy –dir in –pol ipsec -m conntrack –ctstate NEW -j ACCEPT
    {code}

    [Thanks to mikma](https://forum.lede-project.org/t/solved-about-traffic-forward-from-lede-subnet-via-vps-to-internet/13752).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s