This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- inbox:strongswan.howto [2012/11/04 15:39]
+++ inbox:strongswan.howto [2015/06/28 18:11] (current)
jake1981 [Troubleshooting]
@@ Line 1: / Line 1: @@
+====== install/configure strongswan for IPhone/IPad ======
+mostly taken from [[https://forum.openwrt.org/viewtopic.php?id=39560]]
+====== install necessary packages ======
+        opkg update
+        opkg install strongswan-default strongswan-mod-dhcp strongswan-mod-af-alg strongswan-mod-gcrypt \
+        strongswan-mod-blowfish strongswan-mod-md4 strongswan-mod-openssl strongswan-mod-pkcs11 \
+        strongswan-mod-pkcs8 strongswan-mod-test-vectors strongswan-mod-farp
+====== ipsec config ======
+===== /etc/ipsec.conf =====
+        # ipsec.conf - strongSwan IPsec configuration file
+        conn ios
+                keyexchange=ikev1
+                authby=xauthrsasig
+                xauth=server
+                left=%any
+                leftsubnet=0.0.0.0/0
+                leftfirewall=yes
+                leftcert=serverCert.pem
+                right=%any
+                rightsubnet=192.168.1.0/24
+                rightsourceip=%dhcp
+                rightcert=clientCert.pem
+                forceencaps=yes
+                auto=add
+===== /etc/ipsec.secrets =====
+        # /etc/ipsec.secrets - strongSwan IPsec secrets file
+        : RSA serverKey.pem
+        anyuser : XAUTH "anypassword"
+===== /etc/init.d/ipsec =====
+        #!/bin/sh /etc/rc.common
+        # ipsec init script
+        START=46
+        STOP=01
+        start() {
+        ipsec start
+        }
+        stop() {
+        ipsec stop
+        }
+        restart() {
+        ipsec restart
+        }
+        reload() {
+        ipsec update
+        }
+remember to run /etc/init.d/ipsec enable when done to enable startup on boot
+====== strongswan config ======
+===== /etc/strongswan.conf =====
+        # strongswan.conf - strongSwan configuration file
+        charon {
+                dns1 = 192.168.1.1
+                threads = 16
+                plugins {
+                        dhcp {
+                                server = 192.168.1.1
+                        }
+                }
+        }
+        pluto {
+        }
+        libstrongswan {
+                #  set to no, the DH exponent size is optimized
+                #  dh_exponent_ansi_x9_42 = no
+        }
+====== firewall config ======
+===== /etc/firewall.user =====
+        iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
+        iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
+        iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+        iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+===== /etc/config/firewall =====
+        config rule
+                option 'src' 'wan'
+                option 'proto' 'esp'
+                option 'target' 'ACCEPT'
+        config rule
+                option 'src' 'wan'
+                option 'proto' 'udp'
+                option 'dest_port' '500'
+                option 'target' 'ACCEPT'
+        config rule
+                option 'src' 'wan'
+                option 'proto' 'udp'
+                option 'dest_port' '4500'
+                option 'target' 'ACCEPT'
+        config rule
+                option 'src' 'wan'
+                option 'proto' 'ah'
+                option 'target' 'ACCEPT'
+next (certificates) is taken from [[http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)]]
+====== certificates generation ======
+        ipsec pki --gen --outform pem > caKey.pem
+        ipsec pki --self --in caKey.pem --dn "C=DE, O=xxx, CN=xxxx" --ca --outform pem > caCert.pem
+        ipsec pki --gen --outform pem > serverKey.pem
+        ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=xxx.dyndns.org" \
+        --san="xxx.dyndns.org" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
+        ipsec pki --gen --outform pem > clientKey.pem
+        ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=client" --outform pem > clientCert.pem
+        openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "xxxx" -out clientCert.p12
+====== copy certificates ======
+        cp caCert.pem /etc/ipsec.d/cacerts/
+        cp serverCert.pem /etc/ipsec.d/certs/
+        cp serverKey.pem /etc/ipsec.d/private/
+        cp clientCert.pem /etc/ipsec.d/certs/
+        cp clientKey.pem /etc/ipsec.d/private/
+Email caCert.pem and clientCert.p12 to Your IPhone/IPad, import them and You're done.
+====== Troubleshooting ======
+If you experience errors, like:
+[KNL] received netlink error: Function not implemented (89)
+[KNL] unable to add SAD entry with SPI ccc321fa
+[KNL] received netlink error: Function not implemented (89)
+[KNL] unable to add SAD entry with SPI 07d0af31
+[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
+You are most likely missing following packages:
+        strongswan-mod-kernel-libipsec
+        kmod-tun
+After these are installed, problem should be fixed.
+If you have problems with reaching of DHCP.. You probably should install also following modules:
+        ipset
+        iptables-mod-filter
+        iptables-mod-nat-extra
+        ppp-mod-pppoe

OpenWrt Wiki

User Tools

Site Tools

Differences

Page Tools