Strongswan or other IPsec config for 2.24 (MT300A)

gadams999 · 2017-01-05T04:53:37.000Z

Hi all,

I’ve got a great working OpenVPN setup, but am now attempting to get strongswan working. I have downloaded and installed the strongswan packages, and after converting an openswan config for AWS VPG, have a good Phase I/II (tunnel up on both sides).

However, no traffic is being sent, and I think that it’s due to a lack of routing. I did add auto=route to /etc/ipsec.conf, and a “ipsec start” and then interesting traffic brings up the tunnel. What’s missing is any interface (e.g., ipsec0) that I would expect to see, sort of like tun0 for OVPN. I saw mention of creating a L2TP interface via Luci then changing, but I didn’t see any options to make an IPsec interface.

I’m new to OpenWRT, so any guidance on how/where to create an IPsec interface, or even if there is a better solution when using the MT300A would be appreciated.

alzhao · 2017-01-05T16:27:40.000Z

sorry no experience to configure ipsec.

rangerz · 2017-01-05T23:38:22.000Z

Have you found the OpeWrt wiki pages?

https://wiki.openwrt.org/start?do=search&id=ipsec

I would be very curious about the performance of StrongSwan compared to OpenVPN. I am of the impression it should be much faster, especially on these resource constrained devices. It was beyond my comprehension when I looked at it back in time.

Are you building a client for use with a VPN service or a client\server setup?

gadams999 · 2017-01-06T05:56:01.000Z

Thanks for the response alzhao and RangerZ. I’ll continue looking on the OpenWRT pages. I need IPsec for a site-to-site connection to an AWS VPC (using the VGW), as it’s standard way w/o deploying an EC2 instance for OpenVPN (which is the other way and working fine).

My confusion is not having experience with OpenWRT. Using 2.24 I was able to install the strongswan packges, but did see “error 255” on the post-install. Since the local commands work fine and I can bring the tunnel up (good Phase II), I’m assuming the install went fine. At this point it’s probably understanding zones, interfaces (if needed), and iptables rules to allow traffic and not MASQ the traffic.

Hoping to get a few hours in the next week or so to dig deeper!

alzhao · 2017-01-06T09:42:00.000Z

just omit the error 255

Anyway it needs a lot of effort if you have new configurations.