I have successfully established IPSec in my OpenWrt router but I am unable to ping the remote subnet.
Below are the related files
cat ipsec.conf
conn vpn3
keyexchange=ikev2
left=10.129.170.132
right=103.44.119.90
leftsubnet=192.168.18.0/24
rightsubnet=192.168.100.0/24
leftauth=psk
rightauth=psk
authby=secret
auto=start
dpdaction=restart
dpddelay=30s
dpdtimeout=150s
keyingtries=%forever
mobike=yes
ike=aes128-sha1-modp1024!
esp=aes128-sha1-modp1024!
ikelifetime=28800s
lifetime=28800s
type=tunnel
forceencaps=yes
ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.241, mips):
uptime: 5 minutes, since Apr 08 13:10:22 2022
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 pubkey gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
192.168.18.1
20.0.0.115
10.129.170.132
Connections:
vpn3: 10.129.170.132...103.44.119.90 IKEv2, dpddelay=30s
vpn3: local: [10.129.170.132] uses pre-shared key authentication
vpn3: remote: [103.44.119.90] uses pre-shared key authentication
vpn3: child: 192.168.18.0/24 === 192.168.100.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
vpn3[1]: ESTABLISHED 5 minutes ago, 10.129.170.132[10.129.170.132]...103.44.119.90[103.44.119.90]
vpn3[1]: IKEv2 SPIs: e0ed3277e33b4d3a_i* 8f061450adb08c76_r, pre-shared key reauthentication in 7 hours
vpn3[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vpn3{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c300f0e5_i c148ff6a_o
vpn3{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 22764 bytes_o (271 pkts, 62s ago), rekeying in 7 hours
vpn3{1}: 192.168.18.0/24 === 192.168.100.0/24
ip route list table 220
192.168.100.0/24 via 10.64.64.64 dev 3g-sim proto static src 192.168.18.1
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 20.0.0.2 0.0.0.0 UG 1 0 0 eth0.2
0.0.0.0 10.64.64.64 0.0.0.0 UG 2 0 0 3g-sim
10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 3g-sim
20.0.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0.2
192.168.18.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
cat /etc/config/firewall
config defaults
option output 'ACCEPT'
option synflood_protect '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'wan'
list network 'sim'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
config rule 'ipsec_nat'
option target 'ACCEPT'
option name 'IPsec NAT-T'
option src 'wan'
option proto 'udp'
option dest_port '4500'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpn'
IPtable rule
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
One thing I have observed is that whenever I am hitting the ifdown wan command I am getting the ping reply. I think my traffic is going through default route not by IPSec.
Please help.
