|For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview|
This page is about strongswan. The old racoon documentation can be found here.
The task to achive is the connectivity of our home (W)LAN with our company's networks. To make it not too easy we also want to access the company's DMZ through the tunnel. Here the (more or less) big picture.
Additionally we sum up the facts in text mode to explain the infrastructure in detail.
This may not be the most basic setup but it is the simplest to show some facts. You can access multiple subnets through one remote IPsec gateway, you can tunnel official IP adresses and you do not need a fixed external IP address.
To reach the ACME infrastructure we have to tell racoon all the details about the tunnel and the remote networks. We provide all informations in the central /etc/config/ipsec file. The required informations for Phase 1 (initial handshake) are:
For the tunnels we need security policies. There are two different subnets we want to reach so two sainfo blocks have to be created in our file. These define the so called Phase 2 proposals. We provide:
#/etc/config/ipsec config 'ipsec' list listen '' config 'remote' 'acme' option 'enabled' '1' option 'gateway' '220.127.116.11' option 'pre_shared_key' 'yourpasswordhere' option 'exchange_mode' 'aggressive' option 'local_identifier' 'bratwurst' list 'p1_proposal' 'pre_g2_aes_sha1' list 'tunnel' 'acme_dmz' list 'tunnel' 'acme_lan' config 'p1_proposal' 'pre_g2_aes_sha1' option 'encryption_algorithm' 'aes128' option 'hash_algorithm' 'sha1' option 'dh_group' '2' config 'tunnel' 'acme_lan' option 'local_subnet' '192.168.2.64/26' option 'remote_subnet' '10.1.2.0/24' option 'p2_proposal' 'g2_aes_sha1' config 'tunnel' 'acme_dmz' option 'local_subnet' '192.168.2.64/26' option 'remote_subnet' '18.104.22.168/26' option 'p2_proposal' 'g2_aes_sha1' config 'p2_proposal' 'g2_aes_sha1' option 'pfs_group' '2' option 'encryption_algorithm' 'aes128' option 'authentication_algorithm' 'sha1' ...
… pictures with checks …
ACME corporation uses a Juniper firewall. They kindly provided us some configuration pictures. Take them as a sample for your individual implementation.
Phase 1 settings
Phase 2 settings
To reach the remote subnets the last thing we need are two firewall rules. Simply allow all traffic from the local lan 192.168.2.64/26 to the ACME subnets. If you join multiple tunnels in the one zone called VPN you have to use explicit destination adresses to separate traffic. An ALL→ALL rule would allow traffic to all destination networks. And do not forget to contact the ACME firewall admin to add those access rules too.
Connecting two private networks opens an interesting DNS challenge. The ACME DNS server does not only resolve official server names to IP addresses but also those of ACME internal servers. E.g. hobbit.acme.inc and its IP 10.1.2.42. As we have established a VPN connection we already can reach this host by its address. To get it by its name too we have to offer a name resolution in our home domain. With OpenWrt being very powerful we assume that our router has an active Dnsmasq DNS server. So we have two possibilities to resolve acme.inc addresses.
DNS fowarding through VPN tunnels is almost the same as normal DNS forwarding with one exception. Dnsmasq must use the correct source interface. By default it will use the OpenWrt internet IP for it's requests but this cannot be tunneled. So just expand the Dnsmasq forward settings in LuCI with the OpenWrt internal IP address. In our scenario we wan't to reach ACME DNS at 10.1.2.250 by using our internal IP 192.168.2.82. Don't forget to add this domain on the whitelist otherwise Dnsmasq will detect rebind attacks and discard requests.
Building IPsec VPNs with certificates.