How to setup firewall for strongswan IKEv2 VPN

Software SW help
1

Hey guys,
does anyone know how to setup firewall for IKEv2 with strongswan? I found topic here on old Turris forum but the firewall part is not solved there.
I can connect to VPN and get IP from internal DHCP but traffic still ends up on WAN, not LAN. Previously the strongswan installation automatically created Ipsec0 but not anymore so I have no idea how to create it so any help would be very appreciated :slight_smile:
config rule
option src 'wan’
option proto 'esp’
option target ‘ACCEPT’

config rule
option src 'wan’
option proto 'ah’
option target ‘ACCEPT’

config rule
option src 'wan’
option dest 'lan’
option dest_port '500’
option proto 'udp’
option target ‘ACCEPT’

config rule
option target 'ACCEPT’
option src 'wan’
option proto 'udp’
option name '-'
option dest 'lan’
option dest_port ‘4500’

config rule
option target 'ACCEPT’
option src 'wan’
option name 'VPN2’
option proto 'udp’
option dest_port ‘4500’

config rule
option target 'ACCEPT’
option src 'wan’
option proto 'udp’
option dest_port '500’
option name ‘VPN1’

2

I don’t use a special network interface with strongswan. It installs policies in the kernel that routes traffic based on the traffic selectors in your configuration. This makes it very efficient because it is all done in kernel space. The Omnia has hardware accelerated encryption which the kernel uses so it is very fast.

To install strongswan, I used:

opkg install strongswan-full kmod-crypto-echainiv

I added these customer firewall rules:

ptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A postrouting_wan_rule -s 10.0.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A postrouting_wan_rule -s 10.0.3.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT

My /etc/ipsec.conf file has tunnels to various remote servers and “road warrior” connections for my cell phone and lap top. I could provide samples of those.

Bill

3

Bill, I would be interested in samples of your configuration files (/etc/ipsec.conf) so that I could use them as a template in my installation.

4

I edited parts of my file to show examples. As you can see the “road warrior” connections include 0.0.0.0/0 (the Internet) in their traffic selector so all their traffic comes through the home connection. The server on the other hand uses its own Internet connection for everything but traffic to my LAN.

ipsec.conf - strongSwan IPsec configuration file

basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

conn %default
esp=aes256-sha256-modp4096
ike=aes256-sha256-modp4096
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
dpdaction=hold
closeaction=hold

conn laptop
leftcert=home.dyn.example.com.pem
leftid="C=US, CN=home.dyn.example.com"
leftsubnet=0.0.0.0/0,192.168.1.0/24,10.0.0.0/16
leftfirewall=yes
lefthostaccess=yes
right=%any
rightid="C=US, CN=laptop@example.com, E=email@example.com"
rightsourceip=10.0.3.0/24
rightdns=10.0.0.13
type=tunnel
auto=add

conn phone
leftcert=home.dyn.example.com.pem
leftid="C=US, CN=home.dyn.example.com"
leftsubnet=0.0.0.0/0,192.168.1.0/24,10.0.0.0/16
leftfirewall=yes
lefthostaccess=yes
right=%any
rightsourceip=10.0.3.0/24
rightdns=10.0.0.13
rightid="C=US, CN=phone@example.com, E=email@example.com"
rightauth=pubkey
type=tunnel
auto=add

conn home-server
mobike=no
leftcert=home.pem
leftid="C=US, CN=home.example.com, E=email@example.com"
leftsubnet=192.168.1.0/24,10.0.0.0/24
leftfirewall=yes
lefthostaccess=yes
right=192.0.2.1
rightid="C=US, CN=server.example.com, E=email@example.com"
rightauth=pubkey
righthostaccess=yes
rightfirewall=yes
type=tunnel
auto=start

5

You can also see that I use X509 certificates for authentication. I created a certificate authority and used it to create and sign certificates for each device. This stuff then has to go into /etc/ipsec.d. The ca cert goes into /etc/ipsec.d/cacerts and the local certs and private keys go into /etc/ipsec.d/certs and private.

You also need (at least I have them) entries in /etc/ipsec.secrets like this:

/etc/ipsec.secrets - strongSwan IPsec secrets file

home.example.com : RSA home.key
home.dyn.example.com : RSA home.dyn.example.com.key

You may also notice I used home.example.com and home.dyn.example.com although I don’t really need two different things. The server doesn’t need to know my home IP address because I always connect to it.

On the other hand the “Road Warriors” need to find my IP address so I publish the dynamic address in DNS under home.dyn and I made a separate certificate for that domain name. Again, I didn’t have to do that, it helps me remember what I am doing.

6

Did my answer help solve your problem? I didn’t speak to firewall settings because I don’t think that was the problem but then I don’t really know what your use case was.

Bill

7

Thank you very much Bill but unfortunately it did not help. I tried to add the first iptables line but did not work. What do you have in your strongswan.conf file? Mine is:
charon {
dns1 = 192.168.1.1
load_modular = yes
threads = 16
plugins {
include strongswan.d/charon/*.conf
dhcp {
force_server_address = yes
server = 192.168.1.1
identity_lease = yes
}
}
}
and ipsec.conf is:
config setup
strictcrlpolicy=no
uniqueids=no

conn %default

dpdaction=clear
dpddelay=35s
dpdtimeout=2000s
keyexchange=ikev2
auto=add
rekey=no
reauth=no
fragmentation=yes
esp=aes256-sha256-modp4096
ike=aes256-sha256-modp4096
left=%any
leftcert=vpn.schejbal.net.crt
leftsendcert=always
leftsubnet=0.0.0.0/0
lefthostaccess=yes
leftfirewall=yes
right=%any
eap_identity=%identity
rightsourceip=%dhcp
rightdns=212.96.161.6
type=tunnel

conn IPSec-IKEv2-EAP
leftid=schejbal.net
rightauth=eap-mschapv2

8

Please post your log output. Nobody can help you with so less information.
Routing enabled?
Firewall settings?
Installed all packages what you need for ipsec?
Certs at right Place?
Correct networks inside config?

Normally you can See the connection in the syslog.

If not. In terminal
Ipsec restart --nofork

10

The following firewall config works for me:

/etc/config/firewall

config zone
	option forward 'REJECT'
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option network 'ipsec'

config forwarding
	option dest 'lan'
	option src 'vpn'

config forwarding
	option dest 'vpn'
	option src 'lan'

config rule
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '4500'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'ah'

The first three rules setup the forwarding, and the next four punch the firewall in order to be able to establish the tunnel.

Note that the forwarding is only between vpn and lan; not vpn and wan. It is intended only for accessing the internal network from outside, not for tunneling traffic intended for Internet.

I do have ipsec interface though:
/etc/config/network

config interface 'ipsec'
	option proto 'none'
	option ifname 'ipsec0'
	option auto '1'

and I never managed to make the hw encryption work (it was buggy and caused the entire router to reboot).

11

Thank you johndoe. Was your ipsec0 interface created automatically by strongswan or you created it manually?

12

I created it manually.

Ninja edit: in order for it to work, you need the strongswan-mod-kernel-libipsec package. I’m not sure whether it is installed as a part of strongswan full, or whether you need to install it separately.

13

I’ve finally been able to get strongswan to work. I’ve shared my step-by-step recipe (guide) . It’s available as a separate post at the following URL:

Strongswan configuration recipe for Turris Omnia

2 Likes
14

Thank you once again rguerra. After I checked your recipe I found a typo in my forwarding :slight_smile: