Posted: Sun Oct 15, 2017 17:31 Post subject: IPSec server
Have reviewed the IPSec server that is available in more recent builds. According to Kong it should be available using “a few mouse clicks”.
As far as I can tell these “clicks” mostly involve setting up FreeRadius by creating server and client certificates. There are two fields under the heading “client” however. One named ip/net. Does anyone know what should go into this field?
Should it be like 192.184.X.1/24 using the router ip as first input?
Also after FreeRadius is set up is it enough to just enable IPSec server? _________________ AC-68U on Build 40048
AC-68U on Build 40270M
AC-68U on Build 39572M
Somebody knows how to configure OpenSwan on latest Kong build?
I've used PPTP on my R7000, but since macOS X Sierra I can't use it anymore.
OpenSwan seems to be a nice alternative to PPTP, because it is supported on iPhones and OS X Sierra.
Posted: Fri Jan 19, 2018 23:32 Post subject: IPSec using Strongswan and FreeRADIUS on kong build
I'm new to this, too, but I've "started with the basics" in order to really understand what's going on.
After reading through the RFCs and NIST guides for IPSec, and looking at Strongswan's own very detailed documentation, it looks like there are a couple of reasons why it's impossible to configure the Strongswan IPSec VPN using just the GUI, at least for a typical "host-to-gateway" configuration where your computer is somewhere on the internet and connects remotely to the WAN interface of the router.
1) Enabling the IPSec VPN does not insert any packet filter rules in iptables; I think you can connect to Strongswan (or any service running on the box) from the private network using the default iptables rules, but without rules in the "nat" and "filter" tables in iptables, you can't connect to Strongswan via the WAN interface; you need to manually insert rules to let UDP packets on ports 500 and 4500 reach Strongswan (running on the br0 interface, which I have set to 192.168.0.1)
2) the .conf files of Strongswan don't appear to be set up to use RADIUS as an authentication mechanism; specifically, the "rightauth" line in /jffs/etc/ipsec.conf is set to "eap-tls", but according to Strongswan's documention, this needs to be set to "eap-radius"; also, there should be a reference to "eap-radius" in the /jffs/etc/strongswan.conf file, but the build I have only references DHCP; notably, Strongswan needs to be compiled with the eap-radius plugin, and I'm guessing this version isn't, and is only intended to set up a VPN from machines on the internal network; you can read the doc for Strongswan using RADIUS auth with IKE here:
Ultimately, none of this stuff is conceptually hard, it's just poorly documented. Most of the IPSec stuff you find on the internet is a mixture of old and new terminology, and/or inconsistent terminology (e.g., "XAUTH", which was apparently used with IKEv1 fifteen-plus years ago, though you can still use it with IKEv2, and "EAP", which is apparently the standard for modern IKEv2 setups that use an authentication service that is external to the IPSec service). My suggestion is to read NIST 800-77 (dated, and mostly about IKEv1, but good concepts) and RFC 7296 (IKEv2), specifically section 2.16 (using an EAP method with IKE). I've spent months looking through them, so don't feel like it's just you if they're confusing. It helps to draw pictures.
I'm determined to get this working, and provide some feedback to Kong/Brainslayer about possibly making the GUI setup easier (or at least more explanatory for nubes) when I finally do. At a minimum, there needs to be a graphical way of differentiating an "internal" VPN from an "external" one.
The "client" section on the FreeRADIUS page in the GUI is also confusing, because it's something I would assume would be auto-configured on the backend. In RADIUS terminology, the "client" is the service/device that is communicating directly with the RADIUS server. In this case, it's the Strongswan IPSec server, NOT your endpoint VPN client program. In other words, the "client" on your computer connects to the Strongswan server, which then connects to the RADIUS server to authenticate you. I think the FreeRADIUS "client" is just same DD-WRT box if you're using Strongswan, though you could theoretically have some other external box using the FreeRADIUS running on the DD-WRT box to do authentication, as well.
I'm also not sure why the GUI has a field for specifying the RADIUS port, because that's just the port that Strongswan uses to communicate with FreeRADIUS (in RADIUS terminology, it's the "NAS" communicating with the RADIUS "server"). It's not the port a VPN client connects to. You'd presumably never need to change it, and it's just confusing to expose it in the GUI, even for people who kinda understand how IPSec and RADIUS work.
Overall, the DD-WRT setup for an externally-facing IPSec VPN seems to be one of "maximum complexity", vs a default setup that could indeed be enabled "in a few mouse clicks" by a novice user.
I got fed up by my iOS 10 iPad not being able to connect via VPN since PPTP was removed (I mean, that's one of the reasons I'm actually running dd-wrt), and now I started digging into it. I confirmed that enabling IPSec started /usr/lib/ipsec/starter and /usr/lib/ipsec/charon. UDP ports 4500 and 500 are open. /jffs/etc contains some ipsec and strongswan-related files, and `swanctl --version` says `strongSwan swanctl 5.5.3`.
So that's the basics.
I'm thinking about installing strongswan on my main Ubuntu box and toying around with it, just to get a grip on how it's supposed to work. As you say, it seems like there's a lot of additional settings that needs to be done to get this to work in dd-wrt.
Looks like the issue is with your strongSwan config, and not DD-WRT. What type of client are you trying to connect to the IPSec server? _________________ Netgear R7500v2 (1.4GHz dual core, 128MB Flash, 256MB RAM, two USB 3.0 ports, one eSATA port)
v3.0-r34320M kongat (Firewall, NAT, AP, DDNS)
Just got Gbps Internet, and had to swap my main router from R8000 to R7800. Everything is set up and working better than on the R8000. With R7800 and QoS I get much better throughput and much lower bufferbloat than with R8000.
I've configured the R7800 to match the setup I used on the R8000.
Last open thing is I've been trying to work on setting up the IPSec VPN Server. I have it working where my iPad Pro and iPhone 6s Plus can connect (via LTE) and stay connected indefinitely. That is great, because previously on the R8000 I had a heck of a time getting the certificates (via FreeRadius) to work. No such issue with the R7800...no problem connecting over LTE back to the R7800 over the WAN (eth0).
But, that is a far as I seem to get. NO Traffic will pass...neither LAN (192.168.1.1/24 subnet) or Internet. Client's are getting DHCP address as expected, within the unreserved IP space (192.168.1.21-192.168.1.49).
But I can see in the logs that when I try to go to a Local LAN IP or an Internet address, those requests coming in on eth0 from the VPN Source IP (e.g., 192.168.1.41) are being dropped. I've tried several Firewall commands that I've found posted here to have the Firewall not block this traffic, but none of them worked. Also, I did not have to do anything with the Firewall or IP Tables to have this working on the R8000...it just worked once I got the certificates made & downloaded correctly and then the VPN client connected and passed expected traffic...both LAN and Internet.
I'm running the DD-WRT v3.0-r36175M kongat (06/21/1 build for R7800.
I'm probably missing something simple. If something jumps out at anybody, please let me know? Like I say, the R7800 is configured exactly like the R8000 was configured. AFAICT, nothing is different (for WAN/Firewall/DNS/DHCPd/DNSMasq) except for the build versions and the fact that R8000 is Broadcom HW and R7800 is Atheros/Qualcomm HW.