Is there a licensing reason that any variant of Tomato does not have an IPSec VPN module installed? How about firmware size limitations? FYI, I am not referring to passthrough. I am at a crossroads in making a decision. Do I use 2 routers with one being Tomato or replace Tomato with something that has wifi and IPSec in the same box. I would really like to stay with Tomato for all of the great performance, reliability, capability features but unfortunately I am in a situation where I will be handing out hardware to people that are going to far away places and need an IPSec solution built in to connect to our office, edged by an ASA 5505. They are project managers, not IT people. I want to make the solution as simple plugged as possible. Putting confidence into new hardware with different configuration screens might come back to bite me if trouble surfaces. I wish there was an IPSec capable, wifi enabled router that has PoE ports for VOIP phones in one box with a decent sticker price. Who makes such an animal? I am 1% tempted to actually purchase Talisman from Sveasoft to see if it's IPSec module would allow a WRT54GL to connect to our office. If a lowly $11 BEFSX41 can, very well btw, then Talisman should. Sveasoft's sales tactics are bothering though, something about MAC address registration. I guess it is their form of copy protection. I have an email into them but have not heard back and probably won't. What would you propose as a solution for 3 Cisco 7941 handsets and a dozen wireless devices (phones, laptops, etc) being connected to the internet in Europe and tunnel back to the States? A Cisco ASA 5505 is your only endpoint in the States. Thanks for any suggestions or comments you may have.
if you're willing to test it i have built openwrt with l2tp/ipsec for RT-N16 http://ubuntuone.com/5DUuPVBFBmZE7mDzNsBGIv - L2TP/IPSec VPN (issues IP's in same range as LAN), all you need is a user in /etc/ppp/chap-secrets like "user * password *" and a PSK in /etc/racoon/psk.txt. Attention !!! - i haven't test it myself yet ! - you have been warned!
Sorry, i rejected your issue. TomatoUSB does not have any IPSec support. If you still want it, show me strongswan4 package is working on Tomato.
installation went ok. now i just need to figure out how to configure it thanks LE: you were right in the first place - IPsec kernel modules are missing Starting strongSwan 4.5.3 IPsec [starter]... insmod: '-qv.ko': module not found no netkey IPsec stack detected modprobe: module ipsec not found in modules.dep
So...I actually just built tomato K26USB with ipsec support, and it works. Been working on this for a while. Here's the git commit (which I cannot upload to the official git repo, of course). Only tested on the RT-N66u, but in theory it should work the same on any K26 build (at least, that's how I coded the patch). Add "IPSECSUPP=y" to the build you're interested in and it should just work like magic. You'll need the entware strongswan4-* packages (optware strongswan packages have broken libhydra dependencies atm). N.B. The patch is against the tomato-shibby-RT-N branch as of today.
I have a better patch I'm pushing to the tomato git, that hooks into the build system better. But please do forward to shibby, but with mention of the better patch in the tomato git.
I don't have access yet, so in the meantime, please ignore the previous patch and use this one. I have my own local branch where I've merged Toastman's multissid support fixes for RT-N with shibby's 097 build in addition to this -- do you know how I can get access to actually commit to the official tomato git?
no, sorry i don't know how to work with the official git repository. I've patched shibby's 097 now and started the build process for my rt-n16 and i'll post here the result. would be nice if you also posted your rt-n66u build(s)
i have a better idea. If i good see, the patch will add only some of kernel modules into build. Maybe better solution will be export all ipsec`s modules to extras.tar.gz file? Then anyone will use strongwan, not only AIO users
any of your proposals are fine, shibby ! I've rebuilt your 097 AIO RT mipsR2 version (without NFS - some library compile error ) with ipsec included here: http://ubuntuone.com/0kD1ebfd4xlJkMWdFQv4Sc just tested it on my rt-n16 with success ! As Robin mentioned above - you need to install entware strongswan4-* packages and you're good to go
This sounds like great progress. Do you feel at some point that working through the challenges and revising the code that iPSec would be configurable similar to OpenVPN or PPTP Client/Server on Tomato? Would it be as simple as picking the build that includes IPSec, flash the router, configure and run, no external code needed? What are the chances that any of this code would work on the WRT54 series routers, presumably running K24? Sorry for all the questions. We appreciate any and all efforts to make this a reality.
can someone create a simple/little tutorial about configuring ipsec using strongwan? Then i will try to make gui for ipsec.
As I've mentioned elsewhere, you can't actually do that because of the CONFIG_XFRM option which must be "y", not compiled as a module. However, I've modified my patch so that the build will make all kernels IPSec-compatible, with the modules in extras, or you can specify that you want the IPSec support in the image proper and it will include the modules as well. Find it here.
Oh gods thank you! Would you be able to add ipsec-tools as well? That's by far the most lightweight of them.
StrongSwan wiki has some great walkthroughs. You'll want, at a minimum, the IKEv1 and IKEv2 site-to-site, both PSK and X.509 versions as that's what nearly everyone actually needs: two-way, persistent, re-keying, created-on-demand tunnels between networks. If you want to get fancy, the roadwarrior setup with l2tp is what Android, Windows, Mac, and iPhone actually use for VPN clients, so that would be really nice. Though, if you're thinking of moving it into the image proper, I'd actually use ipsec-tools instead of strongswan. It's smaller, and what linux actually uses more often than not.
That is exactly what I'm working toward. I'm playing with adding ipsec-tools as an option to the build as a first step, so it can at least be configured via startup scripts. Once we have that, we can at least create a wiki article saying "put your stuff here and it will work." After that, a site-to-site gui is pretty easy, followed by an l2tp/ipsec vpn gui. I'm tired of ipsec being the one thing we can't get in a soho router, so I'm just doing it myself. Any help appreciated! Honestly, this is much much harder from the get-go. It involves substantially patching the kernel. It's possible, though -- the openwrt guys have done it, I think. My hope is that once the userspace and gui is available, and the only thing missing from the K24 build is the kernel support, that someone will take the time to make the kernel patching happen. Might even be me. I have a couple WRT54GL's laying about. The bigger problem, though, is that the older devices simply can't handle the cpu load of doing IPSec. Some of the later models can, though, so I'm sure it'll get added at some point. No worries! We all want this reality. If answering questions makes it happen faster, I'm all for it.
Linksys claims the BEFSX41 can do 2 simultaneous 3DES SHA endpoint connections. That router has been around a long time so it can't be very powerful hardware wise. I am currently using a BEFSX41($11 ebay) in conjunction with a WRT54G running the latest Toastman to connect a Cisco IP phone to our CM6. It works very well. I am also evaluating a Cisco RV110W router that essentially combines the 2 routers together, but the firmware software is horribly slow and It runs at 300Mhz. I am not looking to download the entire internet through an IPSec tunnel, just make a few phone calls and RDP occasionally for troubleshooting. I hope that because open source projects like tomato, openwrt, and DD-WRT exist, it proves that the WRT54 series routers do have enough oomph left in them. Is there a major difference difference between openvpn and IPSec when is comes to processor utilization? I asking because I don't know. If a WRT54G can do VPN client, is that close to reaching the breaking whereas IPSec would be over the breaking point? Thanks for the continued efforts.
I just happened to stumble on this thread today. To get push access for the repo.or.cz tomato repository, just send me a message with your user id (that you've already registered on that site).
Done. I have no idea how to use it, so it's up to you BTW, strongswan updated to 5.0.0 and insmod -qv issue is closed. Please, give a feedback.
Shibby, I see the IPSec module in the extras.tar.gz file. Would you point me to a FAQ or instructions on how to proceed next please? Hopefully there is a thread on it already, but I've searched for threads on using extras without finding what I'm looking for. Thanks!
No edit post option anymore? There used to be one IIRC. Anyways, insmod is apparently the way to go. Now my question is which of the modules to load and in what order? If I don't need IPv6 support, I also presume I can definitely exclude all the modules with 6 in them, except cast6? Looking forward to a GUI implementation of this, like PPTP and OpenVPN! Thanks.
guys, I want to get this thread and support for l2tp/ipsec going on tomato. I currently use l2tp/ipsec on a custom version of openwrt which i built from arokh's sources for my tl-wr1043nd: reference: http://enduser.subsignal.org/~trondah/source/ Unfortunately i'm not a linux programmer/script guru and i don't know how to convert all the init scripts/ configs from openwrt format to tomato. I've attached my working config file with scripts i found necessary and i hope shibby or one of the other devs can make it work on tomato. Thanks
Is there anything more in Linksys Web Gui re configuration that can be copied? http://ui.linksys.com/files/BEFSX41/1.52.5/Setup-L2TP.htm
i forgot the iface hotplug script: Code: root@OpenWrt /root# cat /etc/hotplug.d/iface/93-racoon #!/bin/sh /etc/init.d/racoon enabled && { local intif="$(uci_get network.wan.ifname)" [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "$intif" ] && { logger -t racoon-hotplug "ifup for interface '$intif', restart racoon" /etc/init.d/racoon restart } }
Just to update this thread for future visitors: Shibby has kindly accepted my patches to enable IPSec in the AIO and Mega-VPN builds from version 99 onward. Additionally, the bare minimum for allowing IPSec module loading is now enabled in all builds, and the IPSec modules are in the extras.tar.gz for manually adding with entware (or optware, though I've only managed to get things working with entware so far). In short, to get IPSec in Tomato, use Shibby's tomato version 99+, install entware, install strongswan or ipsec-tools (which basically boils down to if you like pluto or racoon), and create scripts on wan-up to set your policies. Now that it's actually *possible*, I'm hoping howtos start popping up...
Sorry for being a complete noob, but is there a reason all of this couldnt be included in a build without extra requirements? Is it a maturity thing, or a size thing or what exactly? It would be great if it could work just like openvpn does today, with GUI and everything. Just my 0.02$. Signature? Signature!
There are firmware size issues, Tomatousb supports some routers with only 4MB and 8MB flash (available flash for firmware needs to allow for CFE, NVRAM and manufacturer variations - Netgear?). And to put more into these firmwares you generally have to take something out, which generally displeases someone! Asus original firmware now up to 23MB on Asus RT-N16 (32MB flash) so by making more 'all in one' build variations and reducing target population for each build anything possible.
I get the first part. I don't agree with the second one. It basically says the more features that are available the more people will be displeased. That is not how I see things. To me it seems that if Asus current firmware is 23M, there is at least 9M room for improvements. Why not use what is available? Signature? Signature!
Not sure any current mods publish firmwares bigger than 8MB, EasyTomato which only targets RT-N16 is up to 8.1MB. No technical reason why you can't have more if your router flash can take it. There must be an overhead overhead for having unwanted things in flash, but it should be small if things built as kernel modules, or users-apce apps that dont get used. You have a couple of choices - either 'roll-your-own' or ask nicely to your favourite mod author!
This particular one bears inclusion if possible, I think. Just like IPv6, you may not need it today, but it won't be long before you will, and it's better to have it out there, tested, bulletproofed, and configuration-made-easy (as much as possible, IPSec is a *bear*!) before that day comes. Just my $0.02. Rodney
Hello guys, Maybe it is not the right place to ask, or maybe you can give me right direction where. I've got it running from the "finger" from the Shibby's mod+entware in opt, but I'm stuck with bellow: iptables -m policy --strict --dir in --pol ipsec --proto esp I just try to get it working and it is (the simple xauth+psk + exernal dhcp server over the dhcp module from swan). Strongswan says, above is required http://www.strongswan.org/uml/testresults/ikev1/xauth-psk/moon.iptables Coz, I do all hardwork remotely over OpenVpn, I'm not able to create my own image to download to the router. I just need the simple confirmation, that someone got it up and running. I'm not bother of any GUI If it doesn't, I just need the confirmation as well. Then maybe, after return to my home place, I can try to build my stuff with ipsec. I travel a lot and I need ipsec. I can confirm, that the Shibby's mod works like a charm, with the outside dhcp server attached (I have few Netgear routers connected each other with Tomato mods) over OpenVpn with tap. Cheers, Marek
Gents! First of all, this thread was a great help so far, but unfortunately I got stuck at the moment. I'm trying to get stongswan 5.0.0 from entware to work on an RT-N66U router, having the shibby Tomato release 105 AIO installed (tomato-K26USB-1.28.RT-N5x-MIPSR2-105-AIO-64K.trx). strongswan installed fine from entware. When I type however... # ipsec start ...I get... Starting strongSwan 5.0.0 IPsec [starter]... insmod: '-qv.ko': module not found insmod: '-qv.ko': module not found insmod: '-qv.ko': module not found insmod: '-qv.ko': module not found insmod: '-qv.ko': module not found ...following the advice, to check... # strings /opt/lib/ipsec/starter | grep qv ...I get... insmod -qv af_key insmod -qv ah4 insmod -qv esp4 insmod -qv ipcomp insmod -qv xfrm4_tunnel insmod -qv xfrm_user modprobe -qv ipsec modprobe -qv ipsec_aes modprobe -qv ipsec_blowfish modprobe -qv ipsec_sha2 ...and when I try the commands above manually, all works fine, except when I get to xfrm4_tunnel, I get... # insmod xfrm4_tunnel insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter ...and this is what appears in the syslog... Feb 5 22:21:14 unknown user.warn kernel: xfrm4_tunnel: Unknown symbol xfrm4_tunnel_register Feb 5 22:21:14 unknown user.warn kernel: xfrm4_tunnel: Unknown symbol xfrm4_tunnel_deregister ...then, when I get to the modprobe section I get the same response for all four options... # modprobe ipsec modprobe: module ipsec not found in modules.dep # modprobe ipsec_aes modprobe: module ipsec_aes not found in modules.dep # modprobe ipsec_blowfish modprobe: module ipsec_blowfish not found in modules.dep # modprobe ipsec_sha2 modprobe: module ipsec_sha2 not found in modules.dep I must be missing something basic here, or the tomato-K26USB-1.28.RT-N5x-MIPSR2-105-AIO-64K.trx image is missing IPSEC support? Any help would be greatly appreciated!
I'm looking into options to get L2TP/IPsec on my RT-N16 and this seems very promising. Did someone make a howto yet?
Note: Shibby FW AIO has conflict on input-core.ko but works fine when I shifted to FW - Tomato Firmware 1.28.0000 MIPSR1-105 K26 USB BTgui-VPN. why not try it ...
Thanks for the suggestions Leandroong. I have an E4200 currently loaded with K26-N MIPSR2-105 AIO, I am reluctant to try the build above as I know the one I am using is specific to my router model. Does anyone have other work around without changing the firmware? Thanks
Let me make sure I understand you right. This seems to affect only AIO versions regardless off MIPSR1 or MIPSR2 right? My router only takes mipsr2, so if I load a different FW that is not AIO it should work? Thanks
it has problem with mega and AIO FWs but works on BTGui-vpn for input-core.ko insmod. I didnt bother to test other remaining FWs. In ur case you need to test which FW works for you
I will load BT-VPN build later tonight and report back tomorrow. I want to take time to write down my settings to reload from scratch. Thanks much again
I have loaded Shibby's BT-VPN 105 build for my E4200 and the problem persists. I had the same errors under the AIO. Does anyone know what I am doing wrong? Below is my output. Thanks Code: Starting strongSwan 5.0.1 IPsec [starter]... !! Your strongswan.conf contains manual plugin load options for charon. !! This is recommended for experts only, see !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad insmod: '-qv.ko': module not found insmod: '-qv.ko': module not found insmod: '-qv.ko': module not found insmod: '-qv.ko': module not found insmod: '-qv.ko': module not found root@Sunuroten:/tmp/home/root# strings /opt/lib/ipsec/starter | grep qv insmod -qv af_key insmod -qv ah4 insmod -qv esp4 insmod -qv ipcomp insmod -qv xfrm4_tunnel insmod -qv xfrm_user modprobe -qv ipsec modprobe -qv ipsec_aes modprobe -qv ipsec_blowfish modprobe -qv ipsec_sha2
Good news: you were able to load xfrm_user. This means this FW is what you need. Your other problem is about missing file, "-qv.ko".
What do you think the "-qv.ko" means, performing a search on the system does not return any results. I am loading xfrm_user fine, but still cannot load xfrm4_tunnel, see below. Code: root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/af_key insmod: can't insert '/opt/extras/ipsec/af_key.ko': File exists root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/ah4 insmod: can't insert '/opt/extras/ipsec/ah4.ko': File exists root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/esp4 insmod: can't insert '/opt/extras/ipsec/esp4.ko': File exists root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/ipcomp insmod: can't insert '/opt/extras/ipsec/ipcomp.ko': File exists [COLOR=#ff0000]root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/xfrm4_tunnel[/COLOR] [COLOR=#ff0000]insmod: can't insert '/opt/extras/ipsec/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter[/COLOR] root@Sunuroten:/tmp/home/root# insmod /opt/extras/ipsec/xfrm_user insmod: can't insert '/opt/extras/ipsec/xfrm_user.ko': File exists
both xfrm4_user and xfrm_user loaded fine. Otherwise there will be error message. -qv.ko is a kernel file, like xfrm4_user.ko, that needs to be present also. I look at my extras and it seems that, indeed, it is missing. Need to request that file from shibby.
why not run it as optware, if you're using entware, get it from here, http://wl500g-repo.googlecode.com/svn/ipkg/openwrt/
I had optware at first but switch to entware, based on reports that optware was missing dependencies. Are you saying to get qv.ko from the entware repository? Do you have a working install of ipsec?
No, I don't have working install of ipsec. I think the FW that you are using has no IPSEC included, only MEGA and AIO has it. Entware has repositories for it. Maybe, others will guide you...
fyi, other users (including myself) are experiencing the same problem with v1.06 and v1.07 of shibby's builds. Other threads dealing with this issue can be found here: http://tomatousb.org/forum/t-630208/strongswan-help-on-shibby-mod-v1-07-vpn and http://code.google.com/p/wl500g-repo/issues/detail?can=2&start=0&num=100&q=&colspec=ID Type Status Priority Milestone Owner Summary Modified&groupby=&sort=&id=30
That's something different. Busybox's modprobe/insmod don't understand "-qv" options. Fixed with r1164.
Thanks. Can you provide me updated Makefile for libaudiofile version 0.3.6? If possible only. Source code for libaudiofile: http://www.68k.org/~michael/audiofile/
Thank you very much. I updated to your latest version (with Shibby v1.08 AIO), and don't see any of the -qv error messages anymore. I can now get ipsec to startup and run in the background, though still have an error: root@unknown:/opt/etc# ipsec start Starting strongSwan 5.0.2 IPsec [starter]... charon is already running (/var/run/charon.pid exists) -- skipping charon start insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter starter is already running (/var/run/starter.pid exists) -- no fork done I wonder why xfrm4_tunnel.ko won't load... I will look into this tomorrow. Thanks again.
download extras for your build v.108 to /opt - K26 or K26RT-N ex. http://tomato.groov.pl/download/K26/build5x-108-EN/extras-mips2.tar.gz and Code: modprobe /opt/extras/ipsec/xfrm4_tunnel
Hi all, I'm very interested the development of this and got to the point where I get a connection to my phone and can ping from both ends. Other traffic then that is not working yet but probably a firewall rule or policy that needs to be done. Maybe someone here know what it can be. I'm running shibby's 108 on Cisco E3000 and done the following. I've got a 1TB drive connected to the USB and mounted as /opt so I don't have any space issue but I might have more installed then necessary to get it working. My routers internal IP is 192.168.10.1 This gets a Strongswan 5 up and running with a connection via IKEv2 with mobike #install entware # Install strongswan opkg install strongswan-minimal opkg install strongswan-mod-af-alg opkg install strongswan-mod-gcrypt opkg install strongswan-mod-openssl opkg install strongswan-mod-pem opkg install strongswan-mod-pkcs8 opkg install strongswan-mod-pkcs1 opkg install strongswan-mod-md4 opkg install strongswan-mod-md5 opkg install strongswan-mod-sha2 opkg install strongswan-mod-blowfish opkg install strongswan-mod-des opkg install strongswan-mod-pkcs11 opkg install strongswan-mod-test-vectors opkg install strongswan-mod-curl opkg install strongswan-mod-ldap opkg install strongswan-mod-mysql opkg install strongswan-mod-sqlite opkg install strongswan-mod-revocation opkg install strongswan-mod-constraints opkg install strongswan-mod-pgp opkg install strongswan-mod-dnskey opkg install strongswan-mod-fips-prf opkg install strongswan-mod-agent opkg install strongswan-mod-cmac opkg install strongswan-mod-ctr opkg install strongswan-mod-ccm opkg install strongswan-mod-gcm opkg install strongswan-mod-attr opkg install strongswan-mod-attr-sql opkg install strongswan-mod-load-tester opkg install strongswan-mod-kernel-pfkey opkg install strongswan-mod-kernel-klips opkg install strongswan-mod-resolve opkg install strongswan-mod-socket-dynamic opkg install strongswan-mod-farp opkg install strongswan-mod-smp opkg install strongswan-mod-sql opkg install strongswan-mod-eap-identity opkg install strongswan-mod-eap-md5 opkg install strongswan-mod-eap-mschapv2 opkg install strongswan-mod-xauth-generic opkg install strongswan-mod-xauth-eap opkg install strongswan-mod-dhcp opkg install strongswan-mod-ha opkg install strongswan-mod-whitelist opkg install strongswan-mod-led opkg install strongswan-mod-duplicheck opkg install strongswan-mod-coupling opkg install strongswan-mod-addrblock opkg install strongswan-mod-unity # Install nano to edit the config files etc.... opkg install nano # Download the extras from the shibby build you are on. mkdir /opt/ipsecmod and extract all the ipsec modules from the in that folder # This will open up the port automaticly on startup mkdir /opt/etc/config nano /opt/etc/config/vpn.fire # Paste the two line in there and save iptables -I INPUT -j ACCEPT -p udp --dport 500 iptables -I INPUT -j ACCEPT -p udp --dport 4500 # Create a script to load the modules nano /opt/ipsecmod/ldipsecmod # Paste the following lines in there cd /opt/ipsecmod/ insmod aes.ko insmod af_key.ko insmod ah4.ko insmod blowfish.ko insmod cast5.ko insmod crypto_null.ko insmod des.ko insmod esp4.ko insmod ipcomp.ko insmod md4.ko insmod md5.ko insmod serpent.ko insmod sha256.ko insmod sha512.ko insmod tea.ko insmod twofish_common.ko insmod twofish.ko insmod xcbc.ko insmod xfrm4_mode_beet.ko insmod xfrm4_mode_transport.ko insmod xfrm4_mode_tunnel.ko insmod xfrm4_tunnel.ko insmod xfrm_user.ko # Save the file # Make the file executable chmod 777 /opt/ipsecmod/ldipsecmod # Goto the routers web interface -> administration -> scripts -> init tab sleep 15 sh /opt/ipsecmod/ldipsecmod sleep 5 ipsec start # Generate keys cd /opt/etc/ipsec.d ipsec pki --gen > caKey.der ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der ipsec pki --gen > peerKey.der ###Beware here of the --san option, it depends on how you connect to the vpn server for instance if you use the ip or dns name to connect to your router. ### If you don't change it, the connection won't work. ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=CH,O=strongSwan, CN=peer" --san your dns or ip > peerCert.der mv peerKey.der /opt/etc/ipsec.d/private/peerKey.der mv peerCert.der /opt/etc/ipsec.d/certs/peerCert.der mv caCert.der /opt/etc/ipsec.d/cacerts/caCert.der # Now we need to move the caKey.der out of the location as its not safe to keep it there. # Edit the ipsec.conf nano /opt/etc/ipsec.conf # Paste the config # ipsec.conf - strongSwan IPsec configuration file config setup uniqueids=yes conn ikev2 keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no left=%defaultroute leftfirewall=yes leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=peerCert.der leftid="C=CH, O=strongSwan, CN=peer" right=%any rightsourceip=%dhcp rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any auto=add # Save the config # Edit the strongswan.conf nano /opt/etc/strongswan.conf #### add the dns lines # strongswan.conf - strongSwan configuration file charon { plugins { dhcp { force_server_address = yes server = 192.168.10.1 identity_lease = yes } } } # number of worker threads in charon threads = 16 dns1 = 8.8.8.8 dns2 = 8.8.4.4 libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no } #### Edit the ipsec.secrets nano /opt/etc/ipsec.secrets # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA peerKey.der user : EAP "password" #### change were needed like "user" and "password" and save Reboot your rooter and install the CA cert on the device you are running from configure the connection and connect.
It seems I'm missing a kernel module. xt_policy.ko Because of this error message. daemon.info syslog: 12[CHD] updown: iptables: No chain/target/match by that name I've looked already in the extra's but the module doesn't seem to be there. Can someone compile this ? Cheers Correction it seems to load when I do : modprobe xt_policy
Loading the xt_policy lets Strongswan configure your iptables automaticly for each connection. Now I've finally got internet connection working now via IPSEC but no access to my LAN yet Strongswan automatically added these lines Chain INPUT (policy DROP) ACCEPT all -- user anywhere policy match dir in pol ipsec reqid 2 proto ipv6-crypt Chain FORWARD (policy DROP) ACCEPT all -- user anywhere policy match dir in pol ipsec reqid 2 proto ipv6-crypt ACCEPT all -- anywhere user policy match dir out pol ipsec reqid 2 proto ipv6-crypt Chain OUTPUT (policy ACCEPT) ACCEPT all -- anywhere user policy match dir out pol ipsec reqid 2 proto ipv6-crypt Almost there.......
I would love to see an IPsec VPN integrated into the regular VPN builds with a GUI. That would be awesome!
This is one of the features which is in official firmwares (such as linksys, ...)... GUI is not difficult, but I think we need someone who can create it and share to developers... does anybody have this skills?
I could help test it once it was integrated, but unfortunately I don't have the skills to assist in adding any features directly.
