openwrt - ipsec


strongswan (95968)


opkg install strongswan-minimal



  • strongswan-default
    Depends: libc, strongswan, strongswan-charon, strongswan-mod-aes, strongswan-mod-attr, strongswan-mod-constraints, strongswan-mod-des, strongswan-mod-dnskey, strongswan-mod-fips-prf, strongswan-mod-gmp, strongswan-mod-hmac, strongswan-mod-kernel-netlink, strongswan-mod-md5, strongswan-mod-nonce, strongswan-mod-pem, strongswan-mod-pgp, strongswan-mod-pkcs1, strongswan-mod-pubkey, strongswan-mod-random, strongswan-mod-resolve, strongswan-mod-revocation, strongswan-mod-sha1, strongswan-mod-sha2, strongswan-mod-socket-default, strongswan-mod-stroke, strongswan-mod-updown, strongswan-mod-x509, strongswan-mod-xauth-generic, strongswan-mod-xcbc, strongswan-utils
  • strongswan-full
  • strongswan-minimal (minimal IKEv2 setup)
    Depends: libc, strongswan, strongswan-charon, strongswan-mod-aes, strongswan-mod-gmp, strongswan-mod-hmac, strongswan-mod-kernel-netlink, strongswan-mod-nonce, strongswan-mod-pubkey, strongswan-mod-random, strongswan-mod-sha1, strongswan-mod-socket-default, strongswan-mod-stroke, strongswan-mod-updown, strongswan-mod-x509, strongswan-mod-xcbc

其他 Package:

  • iptables-mod-nat-extra (overlapping IP addresses)



strongswan 本身的設定檔:

    /etc/ipsec.conf: Tunnel definitions
    /etc/ipsec.secrets: List of preshared keys
    /etc/ipsec.d: Folder for certificates


# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        # charonstart=no
        # plutostart=no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=
#      rightsubnet=
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      left=%defaultroute
#      leftsubnet=
#      leftcert=myCert.pem
#      right=
#      rightsubnet=
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      keyexchange=ikev2
#      auto=start


Openwrt 設定:

    /etc/config/ipsec: The OpenWrt configuration file for racoon
    /etc/init.d/ipsec: The Strongswan start script. It will generate the required configuration files for racoon

  • /etc/ipsec.conf
  • /var/ipsec.secrets





# Firewall zone. Has to match the defined firewall zone
# Interface that accept VPN traffic
config 'ipsec'
  option 'zone' 'ipsec-vpn'
  list  'listen' 'eth0'

# exchange_mode: main, aggressive
# authentication_method: Phase 1 authentication
# tunnel: Name of phase 2 section
config 'tunnel' 'acme'
  option 'enabled' '1'
  option 'gateway' ''
  option 'authentication_method' 'psk'
  option 'pre_shared_key' 'yourpasswordhere'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'tunnel' 'acme_dmz'
  list   'tunnel' 'acme_lan'

# dh_group: Diffie-Hellman
config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes128'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' 'modp1024'
# pfs_group: Diffie-Hellman
config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' 'modp1024'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'sha1'

# network defintion per tunnel
# p2_proposal:  對應 p2_proposal 的名稱
config 'tunnel' 'acme_lan'
  option 'local_subnet' ''
  option 'remote_subnet' ''
  option 'p2_proposal' 'g2_aes_sha1'

config 'tunnel' 'acme_dmz'
  option 'local_subnet' ''
  option 'remote_subnet' ''
  option 'p2_proposal' 'g2_aes_sha1'



Windows 7  native VPN client
Proposal    Encryption    Hash    DH Group
#1            aes256            sha1    20
#2            aes128            sha1    19
#3            aes256            sha1    modp2048
#4            3des                sha1    modp2048
#5            3des                sha1    modp1024


lan:*    vpn:*    ACCEPT

Three rules are required.

    ESP payload: the encrypted data packets
    ISAKMP: Handling of security associations (SA)
    NAT-T: Handling of IPsec between natted devices

iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT


MIPS 24k     400 MHz    AES128: 16.5(MBit/s)   AES256: 14.2(MBit/s)
Juniper Netscreen 5GT can easily reach a VPN throughput of 20 MBit/sec.
A good tradeoff could be to choose AES256/SHA1 for phase 1 and AES128/MD5 for phase 2.