1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato and IPSec, Why Not?

Discussion in 'Tomato Firmware' started by PGalati, Jul 17, 2012.

  1. PGalati

    PGalati Network Guru Member

    Is there a licensing reason that any variant of Tomato does not have an IPSec VPN module installed? How about firmware size limitations? FYI, I am not referring to passthrough.

    I am at a crossroads in making a decision. Do I use 2 routers with one being Tomato or replace Tomato with something that has wifi and IPSec in the same box. I would really like to stay with Tomato for all of the great performance, reliability, capability features but unfortunately I am in a situation where I will be handing out hardware to people that are going to far away places and need an IPSec solution built in to connect to our office, edged by an ASA 5505. They are project managers, not IT people. I want to make the solution as simple plugged as possible. Putting confidence into new hardware with different configuration screens might come back to bite me if trouble surfaces.

    I wish there was an IPSec capable, wifi enabled router that has PoE ports for VOIP phones in one box with a decent sticker price. Who makes such an animal?

    I am 1% tempted to actually purchase Talisman from Sveasoft to see if it's IPSec module would allow a WRT54GL to connect to our office. If a lowly $11 BEFSX41 can, very well btw, then Talisman should. Sveasoft's sales tactics are bothering though, something about MAC address registration. I guess it is their form of copy protection. I have an email into them but have not heard back and probably won't.

    What would you propose as a solution for 3 Cisco 7941 handsets and a dozen wireless devices (phones, laptops, etc) being connected to the internet in Europe and tunnel back to the States? A Cisco ASA 5505 is your only endpoint in the States.

    Thanks for any suggestions or comments you may have.
  2. mraneri

    mraneri LI Guru Member

    +1 for IPSec. I have no idea what's involved to implement, though.
  3. maurer

    maurer LI Guru Member

    if you're willing to test it i have built openwrt with l2tp/ipsec for RT-N16
    - L2TP/IPSec VPN (issues IP's in same range as LAN), all you need is a user in /etc/ppp/chap-secrets like "user * password *" and a PSK in /etc/racoon/psk.txt.
    Attention !!! - i haven't test it myself yet ! - you have been warned!
  4. ryzhov_al

    ryzhov_al Networkin' Nut Member

    Sorry, i rejected your issue. TomatoUSB does not have any IPSec support.
    If you still want it, show me strongswan4 package is working on Tomato.
  5. maurer

    maurer LI Guru Member

    can you please build l2tpd so i can try it?
  6. ryzhov_al

    ryzhov_al Networkin' Nut Member

    Here. Please, give your feedback.
    QQQTJ likes this.
  7. maurer

    maurer LI Guru Member

    installation went ok.
    now i just need to figure out how to configure it :p

    LE: you were right in the first place - IPsec kernel modules are missing :(
    Starting strongSwan 4.5.3 IPsec [starter]...
    insmod: '-qv.ko': module not found
    no netkey IPsec stack detected
    modprobe: module ipsec not found in modules.dep
  8. Robin Battey

    Robin Battey Serious Server Member

    So...I actually just built tomato K26USB with ipsec support, and it works. Been working on this for a while. Here's the git commit (which I cannot upload to the official git repo, of course). Only tested on the RT-N66U, but in theory it should work the same on any K26 build (at least, that's how I coded the patch). Add "IPSECSUPP=y" to the build you're interested in and it should just work like magic. You'll need the entware strongswan4-* packages (optware strongswan packages have broken libhydra dependencies atm).

    N.B. The patch is against the tomato-shibby-RT-N branch as of today.

    Attached Files:

  9. maurer

    maurer LI Guru Member

    great news !
    I'll forward this to shibby!
  10. Robin Battey

    Robin Battey Serious Server Member

    I have a better patch I'm pushing to the tomato git, that hooks into the build system better. But please do forward to shibby, but with mention of the better patch in the tomato git. :)
  11. maurer

    maurer LI Guru Member

    please also post the tomato git link,

  12. Robin Battey

    Robin Battey Serious Server Member

    I don't have access yet, so in the meantime, please ignore the previous patch and use this one. I have my own local branch where I've merged Toastman's multissid support fixes for RT-N with shibby's 097 build in addition to this -- do you know how I can get access to actually commit to the official tomato git?

    Attached Files:

  13. maurer

    maurer LI Guru Member

    no, sorry :( i don't know how to work with the official git repository.
    I've patched shibby's 097 now and started the build process for my RT-N16 and i'll post here the result.
    would be nice if you also posted your RT-N66U build(s)
  14. shibby20

    shibby20 Network Guru Member

    i have a better idea. If i good see, the patch will add only some of kernel modules into build. Maybe better solution will be export all ipsec`s modules to extras.tar.gz file? Then anyone will use strongwan, not only AIO users :)
  15. maurer

    maurer LI Guru Member

    any of your proposals are fine, shibby !
    I've rebuilt your 097 AIO RT mipsR2 version (without NFS - some library compile error ) with ipsec included here:
    just tested it on my RT-N16 with success !
    As Robin mentioned above - you need to install entware strongswan4-* packages and you're good to go
  16. ryzhov_al

    ryzhov_al Networkin' Nut Member

    l2tpd is added as a Entware package.
  17. PGalati

    PGalati Network Guru Member

    This sounds like great progress. Do you feel at some point that working through the challenges and revising the code that iPSec would be configurable similar to OpenVPN or PPTP Client/Server on Tomato? Would it be as simple as picking the build that includes IPSec, flash the router, configure and run, no external code needed? What are the chances that any of this code would work on the WRT54 series routers, presumably running K24?

    Sorry for all the questions. We appreciate any and all efforts to make this a reality.
  18. shibby20

    shibby20 Network Guru Member

    can someone create a simple/little tutorial about configuring ipsec using strongwan? Then i will try to make gui for ipsec.
  19. Robin Battey

    Robin Battey Serious Server Member

    As I've mentioned elsewhere, you can't actually do that because of the CONFIG_XFRM option which must be "y", not compiled as a module. However, I've modified my patch so that the build will make all kernels IPSec-compatible, with the modules in extras, or you can specify that you want the IPSec support in the image proper and it will include the modules as well. Find it here.
  20. Robin Battey

    Robin Battey Serious Server Member

    Oh gods thank you! Would you be able to add ipsec-tools as well? That's by far the most lightweight of them.
  21. Robin Battey

    Robin Battey Serious Server Member

    StrongSwan wiki has some great walkthroughs. You'll want, at a minimum, the IKEv1 and IKEv2 site-to-site, both PSK and X.509 versions as that's what nearly everyone actually needs: two-way, persistent, re-keying, created-on-demand tunnels between networks. If you want to get fancy, the roadwarrior setup with l2tp is what Android, Windows, Mac, and iPhone actually use for VPN clients, so that would be really nice.

    Though, if you're thinking of moving it into the image proper, I'd actually use ipsec-tools instead of strongswan. It's smaller, and what linux actually uses more often than not.
  22. Robin Battey

    Robin Battey Serious Server Member

    That is exactly what I'm working toward. :) I'm playing with adding ipsec-tools as an option to the build as a first step, so it can at least be configured via startup scripts. Once we have that, we can at least create a wiki article saying "put your stuff here and it will work." After that, a site-to-site gui is pretty easy, followed by an l2tp/ipsec vpn gui. I'm tired of ipsec being the one thing we can't get in a soho router, so I'm just doing it myself. Any help appreciated!

    Honestly, this is much much harder from the get-go. It involves substantially patching the kernel. It's possible, though -- the openwrt guys have done it, I think. My hope is that once the userspace and gui is available, and the only thing missing from the K24 build is the kernel support, that someone will take the time to make the kernel patching happen. Might even be me. I have a couple WRT54GL's laying about.

    The bigger problem, though, is that the older devices simply can't handle the cpu load of doing IPSec. Some of the later models can, though, so I'm sure it'll get added at some point.

    No worries! We all want this reality. If answering questions makes it happen faster, I'm all for it.
  23. PGalati

    PGalati Network Guru Member

    Linksys claims the BEFSX41 can do 2 simultaneous 3DES SHA endpoint connections. That router has been around a long time so it can't be very powerful hardware wise. I am currently using a BEFSX41($11 ebay) in conjunction with a WRT54G running the latest Toastman to connect a Cisco IP phone to our CM6. It works very well. I am also evaluating a Cisco RV110W router that essentially combines the 2 routers together, but the firmware software is horribly slow and It runs at 300Mhz. I am not looking to download the entire internet through an IPSec tunnel, just make a few phone calls and RDP occasionally for troubleshooting. I hope that because open source projects like tomato, openwrt, and DD-WRT exist, it proves that the WRT54 series routers do have enough oomph left in them.

    Is there a major difference difference between openvpn and IPSec when is comes to processor utilization? I asking because I don't know. If a WRT54G can do VPN client, is that close to reaching the breaking whereas IPSec would be over the breaking point?

    Thanks for the continued efforts.
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just happened to stumble on this thread today. To get push access for the repo.or.cz tomato repository, just send me a message with your user id (that you've already registered on that site).
  25. ryzhov_al

    ryzhov_al Networkin' Nut Member

    Done. I have no idea how to use it, so it's up to you:)
    BTW, strongswan updated to 5.0.0 and insmod -qv issue is closed.

    Please, give a feedback.
  26. mrap

    mrap LI Guru Member

    Shibby, I see the IPSec module in the extras.tar.gz file. Would you point me to a FAQ or instructions on how to proceed next please? Hopefully there is a thread on it already, but I've searched for threads on using extras without finding what I'm looking for. Thanks!
  27. mrap

    mrap LI Guru Member

    No edit post option anymore? There used to be one IIRC. Anyways, insmod is apparently the way to go. Now my question is which of the modules to load and in what order? If I don't need IPv6 support, I also presume I can definitely exclude all the modules with 6 in them, except cast6?

    Looking forward to a GUI implementation of this, like PPTP and OpenVPN! ;)

  28. PGalati

    PGalati Network Guru Member

    I am excited to see what develops in this area.
  29. Monk E. Boy

    Monk E. Boy Network Guru Member

    You and me both.
  30. kaabob

    kaabob Addicted to LI Member

    +1 on GUI

    Call me less proficient at Linux commands =\

    Sent from my HTC Ruby using Tapatalk 2
  31. maurer

    maurer LI Guru Member

    I want to get this thread and support for l2tp/ipsec going on tomato.
    I currently use l2tp/ipsec on a custom version of openwrt which i built from arokh's sources for my tl-wr1043nd:
    reference: http://enduser.subsignal.org/~trondah/source/
    Unfortunately i'm not a linux programmer/script guru and i don't know how to convert all the init scripts/ configs from openwrt format to tomato.
    I've attached my working config file with scripts i found necessary and i hope shibby or one of the other devs can make it work on tomato.


    Attached Files:

  32. mstombs

    mstombs Network Guru Member

  33. maurer

    maurer LI Guru Member

    i forgot the iface hotplug script:
    root@OpenWrt /root# cat /etc/hotplug.d/iface/93-racoon
    /etc/init.d/racoon enabled && {
            local intif="$(uci_get network.wan.ifname)"
            [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "$intif" ] && {
                    logger -t racoon-hotplug "ifup for interface '$intif', restart racoon"
                    /etc/init.d/racoon restart
  34. Robin Battey

    Robin Battey Serious Server Member

    Just to update this thread for future visitors:

    Shibby has kindly accepted my patches to enable IPSec in the AIO and Mega-VPN builds from version 99 onward. Additionally, the bare minimum for allowing IPSec module loading is now enabled in all builds, and the IPSec modules are in the extras.tar.gz for manually adding with entware (or optware, though I've only managed to get things working with entware so far).

    In short, to get IPSec in Tomato, use Shibby's tomato version 99+, install entware, install strongswan or ipsec-tools (which basically boils down to if you like pluto or racoon), and create scripts on wan-up to set your policies. Now that it's actually *possible*, I'm hoping howtos start popping up...
  35. JugsteR

    JugsteR Networkin' Nut Member

    Sorry for being a complete noob, but is there a reason all of this couldnt be included in a build without extra requirements?

    Is it a maturity thing, or a size thing or what exactly?

    It would be great if it could work just like openvpn does today, with GUI and everything. Just my 0.02$.

    Signature? Signature!
  36. mstombs

    mstombs Network Guru Member

    There are firmware size issues, Tomatousb supports some routers with only 4MB and 8MB flash (available flash for firmware needs to allow for CFE, NVRAM and manufacturer variations - Netgear?). And to put more into these firmwares you generally have to take something out, which generally displeases someone!

    Asus original firmware now up to 23MB on Asus RT-N16 (32MB flash) so by making more 'all in one' build variations and reducing target population for each build anything possible.
  37. JugsteR

    JugsteR Networkin' Nut Member

    I get the first part. I don't agree with the second one. It basically says the more features that are available the more people will be displeased. That is not how I see things.

    To me it seems that if Asus current firmware is 23M, there is at least 9M room for improvements. Why not use what is available?

    Signature? Signature!
  38. mstombs

    mstombs Network Guru Member

    Not sure any current mods publish firmwares bigger than 8MB, EasyTomato which only targets RT-N16 is up to 8.1MB. No technical reason why you can't have more if your router flash can take it. There must be an overhead overhead for having unwanted things in flash, but it should be small if things built as kernel modules, or users-apce apps that dont get used. You have a couple of choices - either 'roll-your-own' or ask nicely to your favourite mod author!
  39. rhester72

    rhester72 Network Guru Member

    This particular one bears inclusion if possible, I think. Just like IPv6, you may not need it today, but it won't be long before you will, and it's better to have it out there, tested, bulletproofed, and configuration-made-easy (as much as possible, IPSec is a *bear*!) before that day comes. Just my $0.02.

  40. marekjs

    marekjs Serious Server Member

    Hello guys,
    Maybe it is not the right place to ask, or maybe you can give me right direction where.
    I've got it running from the "finger" from the Shibby's mod+entware in opt, but I'm stuck with bellow:
    iptables -m policy --strict --dir in --pol ipsec --proto esp
    I just try to get it working and it is (the simple xauth+psk + exernal dhcp server over the dhcp module from swan).
    Strongswan says, above is required http://www.strongswan.org/uml/testresults/ikev1/xauth-psk/moon.iptables
    Coz, I do all hardwork remotely over OpenVpn, I'm not able to create my own image to download to the router.

    I just need the simple confirmation, that someone got it up and running.
    I'm not bother of any GUI :)
    If it doesn't, I just need the confirmation as well. Then maybe, after return to my home place, I can try to build my stuff with ipsec.
    I travel a lot and I need ipsec. I can confirm, that the Shibby's mod works like a charm, with the outside dhcp server attached (I have few Netgear routers connected each other with Tomato mods) over OpenVpn with tap.


  41. walakee

    walakee Network Guru Member


    First of all, this thread was a great help so far, but unfortunately I got stuck at the moment. I'm trying to get stongswan 5.0.0 from entware to work on an RT-N66U router, having the shibby Tomato release 105 AIO installed (tomato-K26USB-1.28.RT-N5x-MIPSR2-105-AIO-64K.trx). strongswan installed fine from entware. When I type however...

    # ipsec start

    ...I get...

    Starting strongSwan 5.0.0 IPsec [starter]...
    insmod: '-qv.ko': module not found
    insmod: '-qv.ko': module not found
    insmod: '-qv.ko': module not found
    insmod: '-qv.ko': module not found
    insmod: '-qv.ko': module not found

    ...following the advice, to check...

    # strings /opt/lib/ipsec/starter | grep qv

    ...I get...

    insmod -qv af_key
    insmod -qv ah4
    insmod -qv esp4
    insmod -qv ipcomp
    insmod -qv xfrm4_tunnel
    insmod -qv xfrm_user
    modprobe -qv ipsec
    modprobe -qv ipsec_aes
    modprobe -qv ipsec_blowfish
    modprobe -qv ipsec_sha2

    ...and when I try the commands above manually, all works fine, except when I get to xfrm4_tunnel, I get...

    # insmod xfrm4_tunnel
    insmod: can't insert '/lib/modules/': unknown symbol in module, or unknown parameter

    ...and this is what appears in the syslog...

    Feb 5 22:21:14 unknown user.warn kernel: xfrm4_tunnel: Unknown symbol xfrm4_tunnel_register
    Feb 5 22:21:14 unknown user.warn kernel: xfrm4_tunnel: Unknown symbol xfrm4_tunnel_deregister

    ...then, when I get to the modprobe section I get the same response for all four options...

    # modprobe ipsec
    modprobe: module ipsec not found in modules.dep
    # modprobe ipsec_aes
    modprobe: module ipsec_aes not found in modules.dep
    # modprobe ipsec_blowfish
    modprobe: module ipsec_blowfish not found in modules.dep
    # modprobe ipsec_sha2
    modprobe: module ipsec_sha2 not found in modules.dep

    I must be missing something basic here, or the tomato-K26USB-1.28.RT-N5x-MIPSR2-105-AIO-64K.trx image is missing IPSEC support?

    Any help would be greatly appreciated!
  42. thinktwo

    thinktwo Serious Server Member

    I'm looking into options to get L2TP/IPsec on my RT-N16 and this seems very promising. Did someone make a howto yet?
  43. Ibra Diack

    Ibra Diack Serious Server Member

    @ Walakee, I have the same errors as you. Were you by any chance able to get past them?
  44. leandroong

    leandroong LI Guru Member

    Note: Shibby FW AIO has conflict on input-core.ko but works fine when I shifted to FW - Tomato Firmware 1.28.0000 MIPSR1-105 K26 USB BTgui-VPN.
    why not try it ...
  45. Ibra Diack

    Ibra Diack Serious Server Member

    Thanks for the suggestions Leandroong. I have an E4200 currently loaded with K26-N MIPSR2-105 AIO, I am reluctant to try the build above as I know the one I am using is specific to my router model. Does anyone have other work around without changing the firmware? Thanks
  46. leandroong

    leandroong LI Guru Member

    Dont load my FW, use your build FW that has suffix ending BTgui-VPN, assuming that it exist.
  47. Ibra Diack

    Ibra Diack Serious Server Member

    Let me make sure I understand you right. This seems to affect only AIO versions regardless off MIPSR1 or MIPSR2 right? My router only takes mipsr2, so if I load a different FW that is not AIO it should work?
  48. leandroong

    leandroong LI Guru Member

    it has problem with mega and AIO FWs but works on BTGui-vpn for input-core.ko insmod. I didnt bother to test other remaining FWs. In ur case you need to test which FW works for you
  49. Ibra Diack

    Ibra Diack Serious Server Member

    I will load BT-VPN build later tonight and report back tomorrow. I want to take time to write down my settings to reload from scratch. Thanks much again
  50. Ibra Diack

    Ibra Diack Serious Server Member

    I have loaded Shibby's BT-VPN 105 build for my E4200 and the problem persists. I had the same errors under the AIO. Does anyone know what I am doing wrong? Below is my output. Thanks

    Starting strongSwan 5.0.1 IPsec [starter]...
    !! Your strongswan.conf contains manual plugin load options for charon.
    !! This is recommended for experts only, see
    !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
    insmod: '-qv.ko': module not found
    insmod: '-qv.ko': module not found
    insmod: '-qv.ko': module not found
    insmod: '-qv.ko': module not found
    insmod: '-qv.ko': module not found
    root@Sunuroten:/tmp/home/root# strings /opt/lib/ipsec/starter | grep qv
    insmod -qv af_key
    insmod -qv ah4
    insmod -qv esp4
    insmod -qv ipcomp
    insmod -qv xfrm4_tunnel
    insmod -qv xfrm_user
    modprobe -qv ipsec
    modprobe -qv ipsec_aes
    modprobe -qv ipsec_blowfish
    modprobe -qv ipsec_sha2
  51. leandroong

    leandroong LI Guru Member

    Good news: you were able to load xfrm_user. This means this FW is what you need.
    Your other problem is about missing file, "-qv.ko".
  52. Ibra Diack

    Ibra Diack Serious Server Member

    What do you think the "-qv.ko" means, performing a search on the system does not return any results. I am loading xfrm_user fine, but still cannot load xfrm4_tunnel, see below.

    root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/af_key
    insmod: can't insert '/opt/extras/ipsec/af_key.ko': File exists
    root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/ah4
    insmod: can't insert '/opt/extras/ipsec/ah4.ko': File exists
    root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/esp4
    insmod: can't insert '/opt/extras/ipsec/esp4.ko': File exists
    root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/ipcomp
    insmod: can't insert '/opt/extras/ipsec/ipcomp.ko': File exists
    [COLOR=#ff0000]root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/xfrm4_tunnel[/COLOR]
    [COLOR=#ff0000]insmod: can't insert '/opt/extras/ipsec/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter[/COLOR]
    root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/xfrm_user
    insmod: can't insert '/opt/extras/ipsec/xfrm_user.ko': File exists
  53. leandroong

    leandroong LI Guru Member

    both xfrm4_user and xfrm_user loaded fine. Otherwise there will be error message.
    -qv.ko is a kernel file, like xfrm4_user.ko, that needs to be present also. I look at my extras and it seems that, indeed, it is missing. Need to request that file from shibby.
  54. leandroong

    leandroong LI Guru Member

  55. Ibra Diack

    Ibra Diack Serious Server Member

    I had optware at first but switch to entware, based on reports that optware was missing dependencies. Are you saying to get qv.ko from the entware repository? Do you have a working install of ipsec?
  56. leandroong

    leandroong LI Guru Member

    No, I don't have working install of ipsec. I think the FW that you are using has no IPSEC included, only MEGA and AIO has it. Entware has repositories for it. Maybe, others will guide you...
  57. Ibra Diack

    Ibra Diack Serious Server Member

    Thanks for the help. I think I am about to throw the towel and wait until how to start popping out.
  58. leandroong

    leandroong LI Guru Member

  59. Elfew

    Elfew Network Guru Member

    ok, but any news about GUI and implementation to FW?
  60. dborca

    dborca Serious Server Member

  61. Elfew

    Elfew Network Guru Member

    Ok, maybe contact shibby... Maybe it could be in the next build ;) who knows
  62. gawd0wns

    gawd0wns LI Guru Member

  63. ryzhov_al

    ryzhov_al Networkin' Nut Member

    That's something different. Busybox's modprobe/insmod don't understand "-qv" options. Fixed with r1164.
  64. leandroong

    leandroong LI Guru Member

    Can you provide me updated Makefile for libaudiofile version 0.3.6? If possible only.
    Source code for libaudiofile: http://www.68k.org/~michael/audiofile/
  65. gawd0wns

    gawd0wns LI Guru Member

    Thank you very much. I updated to your latest version (with Shibby v1.08 AIO), and don't see any of the -qv error messages anymore. I can now get ipsec to startup and run in the background, though still have an error:

    root@unknown:/opt/etc# ipsec start
    Starting strongSwan 5.0.2 IPsec [starter]...
    charon is already running (/var/run/charon.pid exists) -- skipping charon start
    insmod: can't insert '/lib/modules/': unknown symbol in module, or unknown parameter
    starter is already running (/var/run/starter.pid exists) -- no fork done

    I wonder why xfrm4_tunnel.ko won't load... I will look into this tomorrow.

    Thanks again.
  66. Pirek

    Pirek Serious Server Member

    download extras for your build v.108 to /opt - K26 or K26RT-N ex. http://tomato.groov.pl/download/K26/build5x-108-EN/extras-mips2.tar.gz and
    modprobe /opt/extras/ipsec/xfrm4_tunnel
  67. Xerxist

    Xerxist Networkin' Nut Member

    Hi all,

    I'm very interested the development of this and got to the point where I get a connection to my phone and can ping from both ends.
    Other traffic then that is not working yet but probably a firewall rule or policy that needs to be done.
    Maybe someone here know what it can be.

    I'm running shibby's 108 on Cisco E3000 and done the following.

    I've got a 1TB drive connected to the USB and mounted as /opt so I don't have any space issue but I might have more installed then necessary to get it working.

    My routers internal IP is
    This gets a Strongswan 5 up and running with a connection via IKEv2 with mobike

    #install entware

    # Install strongswan

    opkg install strongswan-minimal
    opkg install strongswan-mod-af-alg
    opkg install strongswan-mod-gcrypt
    opkg install strongswan-mod-openssl
    opkg install strongswan-mod-pem
    opkg install strongswan-mod-pkcs8
    opkg install strongswan-mod-pkcs1
    opkg install strongswan-mod-md4
    opkg install strongswan-mod-md5
    opkg install strongswan-mod-sha2
    opkg install strongswan-mod-blowfish
    opkg install strongswan-mod-des
    opkg install strongswan-mod-pkcs11
    opkg install strongswan-mod-test-vectors
    opkg install strongswan-mod-curl
    opkg install strongswan-mod-ldap
    opkg install strongswan-mod-mysql
    opkg install strongswan-mod-sqlite
    opkg install strongswan-mod-revocation
    opkg install strongswan-mod-constraints
    opkg install strongswan-mod-pgp
    opkg install strongswan-mod-dnskey
    opkg install strongswan-mod-fips-prf
    opkg install strongswan-mod-agent
    opkg install strongswan-mod-cmac
    opkg install strongswan-mod-ctr
    opkg install strongswan-mod-ccm
    opkg install strongswan-mod-gcm
    opkg install strongswan-mod-attr
    opkg install strongswan-mod-attr-sql
    opkg install strongswan-mod-load-tester
    opkg install strongswan-mod-kernel-pfkey
    opkg install strongswan-mod-kernel-klips
    opkg install strongswan-mod-resolve
    opkg install strongswan-mod-socket-dynamic
    opkg install strongswan-mod-farp
    opkg install strongswan-mod-smp
    opkg install strongswan-mod-sql
    opkg install strongswan-mod-eap-identity
    opkg install strongswan-mod-eap-md5
    opkg install strongswan-mod-eap-mschapv2
    opkg install strongswan-mod-xauth-generic
    opkg install strongswan-mod-xauth-eap
    opkg install strongswan-mod-dhcp
    opkg install strongswan-mod-ha
    opkg install strongswan-mod-whitelist
    opkg install strongswan-mod-led
    opkg install strongswan-mod-duplicheck
    opkg install strongswan-mod-coupling
    opkg install strongswan-mod-addrblock
    opkg install strongswan-mod-unity

    # Install nano to edit the config files etc....

    opkg install nano

    # Download the extras from the shibby build you are on.
    mkdir /opt/ipsecmod and extract all the ipsec modules from the in that folder

    # This will open up the port automaticly on startup

    mkdir /opt/etc/config
    nano /opt/etc/config/vpn.fire

    # Paste the two line in there and save

    iptables -I INPUT -j ACCEPT -p udp --dport 500
    iptables -I INPUT -j ACCEPT -p udp --dport 4500

    # Create a script to load the modules

    nano /opt/ipsecmod/ldipsecmod

    # Paste the following lines in there

    cd /opt/ipsecmod/
    insmod aes.ko
    insmod af_key.ko
    insmod ah4.ko
    insmod blowfish.ko
    insmod cast5.ko
    insmod crypto_null.ko
    insmod des.ko
    insmod esp4.ko
    insmod ipcomp.ko
    insmod md4.ko
    insmod md5.ko
    insmod serpent.ko
    insmod sha256.ko
    insmod sha512.ko
    insmod tea.ko
    insmod twofish_common.ko
    insmod twofish.ko
    insmod xcbc.ko
    insmod xfrm4_mode_beet.ko
    insmod xfrm4_mode_transport.ko
    insmod xfrm4_mode_tunnel.ko
    insmod xfrm4_tunnel.ko
    insmod xfrm_user.ko

    # Save the file

    # Make the file executable

    chmod 777 /opt/ipsecmod/ldipsecmod

    # Goto the routers web interface -> administration -> scripts -> init tab

    sleep 15
    sh /opt/ipsecmod/ldipsecmod
    sleep 5
    ipsec start

    # Generate keys
    cd /opt/etc/ipsec.d
    ipsec pki --gen > caKey.der
    ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
    ipsec pki --gen > peerKey.der

    ###Beware here of the --san option, it depends on how you connect to the vpn server for instance if you use the ip or dns name to connect to your router.
    ### If you don't change it, the connection won't work.

    ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=CH,O=strongSwan, CN=peer" --san your dns or ip > peerCert.der

    mv peerKey.der /opt/etc/ipsec.d/private/peerKey.der
    mv peerCert.der /opt/etc/ipsec.d/certs/peerCert.der
    mv caCert.der /opt/etc/ipsec.d/cacerts/caCert.der

    # Now we need to move the caKey.der out of the location as its not safe to keep it there.
    # Edit the ipsec.conf

    nano /opt/etc/ipsec.conf

    # Paste the config

    # ipsec.conf - strongSwan IPsec configuration file
    config setup
    conn ikev2
    leftid="C=CH, O=strongSwan, CN=peer"

    # Save the config

    # Edit the strongswan.conf

    nano /opt/etc/strongswan.conf

    #### add the dns lines

    # strongswan.conf - strongSwan configuration file
    charon {
    plugins { dhcp {
    force_server_address = yes
    server =
    identity_lease = yes
    # number of worker threads in charon
    threads = 16
    dns1 =
    dns2 =
    libstrongswan {
    # set to no, the DH exponent size is optimized
    # dh_exponent_ansi_x9_42 = no

    #### Edit the ipsec.secrets
    nano /opt/etc/ipsec.secrets

    # /etc/ipsec.secrets - strongSwan IPsec secrets file
    : RSA peerKey.der
    user : EAP "password"

    #### change were needed like "user" and "password" and save

    Reboot your rooter and install the CA cert on the device you are running from configure the connection and connect.
    philess and ryzhov_al like this.
  68. Xerxist

    Xerxist Networkin' Nut Member

    It seems I'm missing a kernel module.


    Because of this error message.

    daemon.info syslog: 12[CHD] updown: iptables: No chain/target/match by that name

    I've looked already in the extra's but the module doesn't seem to be there.
    Can someone compile this ?


    Correction it seems to load when I do :

    modprobe xt_policy
  69. Xerxist

    Xerxist Networkin' Nut Member

    Loading the xt_policy lets Strongswan configure your iptables automaticly for each connection.
    Now I've finally got internet connection working now via IPSEC :) but no access to my LAN yet :confused:

    Strongswan automatically added these lines

    Chain INPUT (policy DROP)
    ACCEPT all -- user anywhere policy match dir in pol ipsec reqid 2 proto ipv6-crypt

    Chain FORWARD (policy DROP)
    ACCEPT all -- user anywhere policy match dir in pol ipsec reqid 2 proto ipv6-crypt
    ACCEPT all -- anywhere user policy match dir out pol ipsec reqid 2 proto ipv6-crypt

    Chain OUTPUT (policy ACCEPT)
    ACCEPT all -- anywhere user policy match dir out pol ipsec reqid 2 proto ipv6-crypt

    Almost there.......
    darkknight93 and quihong like this.
  70. FlashSWT

    FlashSWT LI Guru Member

    I would love to see an IPsec VPN integrated into the regular VPN builds with a GUI. That would be awesome!
    Elfew likes this.
  71. Elfew

    Elfew Network Guru Member

    This is one of the features which is in official firmwares (such as linksys, ...)... GUI is not difficult, but I think we need someone who can create it and share to developers... does anybody have this skills?
  72. FlashSWT

    FlashSWT LI Guru Member

    I could help test it once it was integrated, but unfortunately I don't have the skills to assist in adding any features directly. :(
  73. Moflacco

    Moflacco Reformed Router Member

    Hi All,

    thanks alot for the effort for making this possible!

    i am running into the following issues when starting IPSEC and genarating Keys:
    Entware installed.
    root@R01:/opt/etc/ipsec.d# ipsec pki --gen > caKey.der
    plugin 'pkcs7' failed to load: File not found
    openssl FIPS mode(0) unavailable
    opening AF_ALG socket failed: Address family not supported by protocol
    opening AF_ALG socket failed: Address family not supported by protocol
    opening AF_ALG socket failed: Address family not supported by protocol
    opening AF_ALG socket failed: Address family not supported by protocol
    root@R01:/opt/etc/ipsec.d# ipsec restart
    Stopping strongSwan IPsec...
    Starting strongSwan 5.0.4 IPsec [starter]...
    insmod: can't insert '/lib/modules/': File exists
    insmod: can't insert '/lib/modules/': File exists
    insmod: can't insert '/lib/modules/': File exists
    insmod: can't insert '/lib/modules/': unknown symbol in module, or unknown parameter
    insmod: can't insert '/lib/modules/': File exists

    I am going through the tutorial above from Xerxist

    please help me as I do not know what is going on. I am a NOOB :)
  74. PhiGamma

    PhiGamma Reformed Router Member


    the Problem with the unknown symbol from insmod xfrm4_tunnel.ko can be solved if you run insmod tunnel4.ko before. The file exists errors say that the module has been loaded before.

    I followed the instructions from Xerxist. I managed to get an established tunnel but I couldn't get any traffic through the tunnel. I also have a problem with the dhcp server to get an IP. I had to use rightsourceip= i.e. With an additional iptables rule I managed to get traffic through the tunnel to the local network. I could access the Tomato WebIf and also the raspberrypi in the local LAN via SSH. I added these rule:

    iptables -t nat -I PREROUTING -s -i vlan2 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
    What doesn't work is a full tunnel (e.g. internet access through the tunnel). Also I can't ping the remote client from the local lan or from the Tomato Router itself.

    So my first question is: Does anyone know which firewall rule I am missing to achieve this?

    But the problem I had with the DHCP Server seems interesting. Strongswan tries to use the DHCP Server from my ISP instead of the Tomato DHCP Server (my WAN Interface is configured to get its IP-Address via DHCP). If I try to set the DHCP Server in the strongswan.conf file via the dhcp plugin and force_server_address= (my Tomato Router IP), then the request is going to nowhere (DHCPDISCOVER(lo) xxxxx no address available) and I get a timeout (DHCP DISCOVER timed out), the VPN connection is closed. As said above, I solved this (temporarily for testing) with rightsourceip= i.e. This behavior also occurs if the interface in the dhcp plugin in the strongswan.conf is set to br0.

    In order to test Strongswan before trying to setup everything on the Tomato Router I installed and configured the Strongswan VPN Server on a raspberrypi which runs raspbian. In the Tomato Webinterface I forwared the UDP Ports 500 and 4500 and everything is working fine. I can connect from Android via the Strongswan App or Windows, get an IP Address from the DHCP Server and in the Tomato Webinterface under Devices the connected user gets displayed. Also the full tunnel is working and on Android the whole traffic is sent through the Strongswan Gateway.

    At this point I think it's a problem with the firewall on the Tomato Router and the interface on which Strongswan is listening. I thought it would be great if Strongswan would listen on e.g. br0 (IP so that the Strongswan Server would behave like it would be on a dedicated machine like the raspberrypi. I tried to set interfaces_use = br0 and install_virtual_ip_on = br0 in the strongswan.conf and set up a Portforwarding in the Webinterface to forward the ports 500 and 4500 to the internal Tomato Router IP ( i.e.). But it doesn't work that easily. With this setup I can connect from the local LAN to Strongswan but not from the outside. Also even then, the rightsourceip=%dhcp setting won't work or didn't work, so it seems their is some big thing I am missing.

    Guess, I should sum up my second question: Does anyone know how can I achieve that the Strongswan Server on the router can behave like a dedicated Strongswan server like on the raspberrypi? What can I do to achieve this if it's possible?

    Thanks in advance! It would be great if Strongswan would work on the Tomato Router like on the raspberrypi :). Then it would be enough to simply forward two ports to the (internal) Router IP in the WebIf ;-).

    Kind regards!
  75. Robin Battey

    Robin Battey Serious Server Member

    The likely reason you can't pass traffic through your tunnel is that there is a default firewall rule in the nat table (not the filter table, where you'd expect it) that drops all new connection traffic. I've reported it before. You'll have to drop it with iptables using a script; there's no gui access to it. The rule itself is worthless anyway.
  76. joksi

    joksi Serious Server Member

    Okey, so after a lots of tinkering and reinstalling I have finally suceeded to get Strongswan from Entware up and running (without any Shibby extra modules loaded!). I have tunnels to other IPsec gateways, including Azure.
    However, when searching online and in the Strongswan documentation I can't really find any concrete information about the specifics of Strongswan on Tomato, apparently on Tomato Strongswan creates one new interface called "ipsec0", where all running tunnels are ingressing/egressing. It also creates automatic routes out on this interface, by default in a separate table numbered 220.

    Online I could mostly only find references to tunnels going through the WAN-interface, using IP-tables policy match module. Nothing about a separate, ipsec0 interface. While this doesn't bother me, what does bother me is how I can create a real route based tunnel. That is, instead of having to configure several subnets in Strongswan for each tunnel, just being able to put routes from whatever local subnet to whatever remote subnet and sending it out on the tunnel interface ipsec0.

    Anyone have any experiences on this?
  77. joksi

    joksi Serious Server Member

    Why is aes.ko module missing from Shibbys extras-archive for ARM?


    EDIT: Ignore this post, it seems like cbs.ko actually is aes.ko
    Last edited: Dec 13, 2016

Share This Page