11399 questions

13582 answers

21280 comments

31964 members

0 votes
119 views 25 comments
by

I've tried to create an ipsec based VPN configuration through uci commands. When I compare the "uci show ipsec" commands it's an exact match as compared to creating the same VPN through the web gui. Also when comparing the /etc/config/ipsec file (created through uci) with the same file (created through web) it's the same. Still the web created VPN works without issue's, the uci created VPN somehow doesn't work. It shows up in the gui (correctly). But when running the "ipsec showall" command, it doesn't show an SA (I've commited and reloaded the ipsec config, also rebooted the router).

Output of the "show ipsec" command (some details modified).

ipsec.@ipsec[0]=ipsec

ipsec.@ipsec[0].rtinstall_enabled='1'

ipsec.MyVPN=remote

ipsec.MyVPN.crypto_proposal='MyVPN_ph1'

ipsec.MyVPN.force_crypto_proposal='1'

ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'

ipsec.MyVPN.authentication_method='psk'

ipsec.MyVPN.pre_shared_key='*********************************************'

ipsec.MyVPN.tunnel='MyVPN_c'

ipsec.MyVPN.remote_identifier='1.2.3.4'

ipsec.MyVPN.local_identifier='W99-RTR01'

ipsec.MyVPN._multiple_secrets='0'

ipsec.MyVPN.enabled='1'

ipsec.MyVPN_c=connection

ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'

ipsec.MyVPN_c.defaultroute='0'

ipsec.MyVPN_c.forceencaps='no'

ipsec.MyVPN_c.local_firewall='yes'

ipsec.MyVPN_c.remote_firewall='yes'

ipsec.MyVPN_c._dpd='1'

ipsec.MyVPN_c.force_crypto_proposal='1'

ipsec.MyVPN_c.mode='start'

ipsec.MyVPN_c.type='tunnel'

ipsec.MyVPN_c.keyexchange='ikev2'

ipsec.MyVPN_c.dpdaction='restart'

ipsec.MyVPN_c.remote_subnet='192.168.222.0/24' '10.20.0.0/16'

ipsec.MyVPN_c.comp_mode='1'

ipsec.MyVPN_c.aggressive='no'

ipsec.MyVPN_c.local_subnet='10.100.99.254/32' '10.101.99.0/25'

ipsec.MyVPN_ph1=proposal

ipsec.MyVPN_ph1.encryption_algorithm='aes256'

ipsec.MyVPN_ph1.hash_algorithm='sha256'

ipsec.MyVPN_ph1.dh_group='modp2048'

ipsec.MyVPN_ph2=proposal

--------------------

Output of the "ipsec showall"

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, armv7l):

  uptime: 74 minutes, since Sep 22 11:43:21 2022

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0

  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic

Listening IP addresses:

  10.178.51.58

  10.101.99.2

  fd79:8e10:b7c9::1

Connections:

Security Associations (0 up, 0 connecting):

  none

---------------------------

I've added the troubleshoot file. 
There was an earlier question from someone running into the same issue, but that wasn't answered.

by
Wrong comment button

1 Answer

0 votes
by

Hello,

Configuration of IPsec over WebUI also generates several traffic rules and one port forward. I would suggest checking these additions upon the successful establishment of the IPsec tunnel and compare to find what is missing after uci configuration. Troubleshoot contains firewall file with all the firewall details. Comparing these files from both configurations might also help to find what is missing.

Best regards,

by

Here is a thing to try: 

“To resolve this issue it's needed to change option tunnel 'Client_c' to list tunnel 'Client_c'.
This issue occurs because uci set is used for all options. tunnel option should be set using uci add_list.“

by

These are the actual UCI commands used to create the VPN. You mean changing the bold entry from a set to add?

uci set ipsec.MyVPN=remote
uci set ipsec.MyVPN.crypto_proposal='MyVPN_ph1'
uci set ipsec.MyVPN.enabled='1'
uci set ipsec.MyVPN._multiple_secrets='0'
uci set ipsec.MyVPN.force_crypto_proposal='1'
uci set ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'
uci set ipsec.MyVPN.authentication_method='psk'
uci set ipsec.MyVPN.pre_shared_key='***************'
uci set ipsec.MyVPN.local_identifier='W99-RTR01'
uci set ipsec.MyVPN.remote_identifier='1.2.3.4'
uci set ipsec.MyVPN.tunnel='MyVPN_c'

uci set ipsec.MyVPN_c=connection
uci set ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'
uci set ipsec.MyVPN_c.defaultroute='0'
uci set ipsec.MyVPN_c.aggressive='no'
uci set ipsec.MyVPN_c.forceencaps='no'
uci set ipsec.MyVPN_c.local_firewall='yes'
uci set ipsec.MyVPN_c.remote_firewall='yes'
uci set ipsec.MyVPN_c.comp_mode='1'
uci set ipsec.MyVPN_c._dpd='1'
uci set ipsec.MyVPN_c.force_crypto_proposal='1'
uci set ipsec.MyVPN_c.mode='start'
uci set ipsec.MyVPN_c.type='tunnel'
uci set ipsec.MyVPN_c.local_subnet='10.100.99.254/32'
uci add_list ipsec.MyVPN_c.local_subnet='10.101.99.0/25'
uci set ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'
uci add_list ipsec.MyVPN_c.remote_subnet='10.20.0.0/16'
uci set ipsec.MyVPN_c.keyexchange='ikev2'
uci set ipsec.MyVPN_c.dpdaction='restart'

uci set ipsec.MyVPN_ph1=proposal
uci set ipsec.MyVPN_ph1.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph1.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph1.dh_group='modp2048'

uci set ipsec.MyVPN_ph2=proposal
uci set ipsec.MyVPN_ph2.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph2.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph2.dh_group='modp2048

by

Yes uci add_list ipsec.MyVPN.tunnel='MyVPN_c'

Good catch.

by

Yes, that was the trick! So for everyone else breaking it's head on this, this is the right config:

uci set ipsec.MyVPN=remote
uci set ipsec.MyVPN.crypto_proposal='MyVPN_ph1'
uci set ipsec.MyVPN.enabled='1'
uci set ipsec.MyVPN._multiple_secrets='0'
uci set ipsec.MyVPN.force_crypto_proposal='1'
uci set ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'
uci set ipsec.MyVPN.authentication_method='psk'
uci set ipsec.MyVPN.pre_shared_key='***************'
uci set ipsec.MyVPN.local_identifier='W99-RTR01'
uci set ipsec.MyVPN.remote_identifier='1.2.3.4'
uci add_list ipsec.MyVPN.tunnel='MyVPN_c'

uci set ipsec.MyVPN_c=connection
uci set ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'
uci set ipsec.MyVPN_c.defaultroute='0'
uci set ipsec.MyVPN_c.aggressive='no'
uci set ipsec.MyVPN_c.forceencaps='no'
uci set ipsec.MyVPN_c.local_firewall='yes'
uci set ipsec.MyVPN_c.remote_firewall='yes'
uci set ipsec.MyVPN_c.comp_mode='1'
uci set ipsec.MyVPN_c._dpd='1'
uci set ipsec.MyVPN_c.force_crypto_proposal='1'
uci set ipsec.MyVPN_c.mode='start'
uci set ipsec.MyVPN_c.type='tunnel'
uci set ipsec.MyVPN_c.local_subnet='10.100.99.254/32'
uci add_list ipsec.MyVPN_c.local_subnet='10.101.99.0/25'
uci set ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'
uci add_list ipsec.MyVPN_c.remote_subnet='10.20.0.0/16'
uci set ipsec.MyVPN_c.keyexchange='ikev2'
uci set ipsec.MyVPN_c.dpdaction='restart'

uci set ipsec.MyVPN_ph1=proposal
uci set ipsec.MyVPN_ph1.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph1.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph1.dh_group='modp2048'

uci set ipsec.MyVPN_ph2=proposal
uci set ipsec.MyVPN_ph2.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph2.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph2.dh_group='modp2048

Thank you very much!

by

uci add_list ipsec.MyVPN_c.local_subnet='10.100.99.254/32'

uci add_list ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'