Configuring IPSec on the router WRT160NL with OpenWRT.

0
SUCCESS: Your vote is considered!

Hello, trambroidyan’s!
I would like to talk about how to configure IPSec tunnels on the router WRT160NLrunning OpenWRT.
Many may argue that the instructions for setting up IPSec'a fully online, but setting under OpenWRT on this router has its own characteristics.
Thus, we have a connection with the following parameters.

Address of the remote server A.A.A.A
Remote network a.a.a.a / a
Address of the router B.B.B.B
LAN b.b.b.b / b

Phase 1

PSK nnnnnnn
PSK nnnnnnn
Encryption algorithm (encryption_algorithm) 3des
Hashing algorithm (hash_algorithm) sha1
Diffie-Hellman_group modp1024
Key lifetime (lifetime) 28 800 sec

Phase 2

Diffie-Hellman_group modp1024
Encryption algorithm (encryption_algorithm) 3des
authentication_algorithm) hmac_sha1
Compression algorithm (compression_algorithm) deflate
Key lifetime (lifetime) 3,600 sec
We proceed to set up.
1.Ustanavlivaem needed packages

# opkg update
# opkg install ipsec-tools kmod-crypto-authenc kmod-ipsec kmod-ipsec4

2.Edit configuration file /etc/racoon.conf and present it to the form

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path include "/etc/racoon";
log debug2;
padding {
        maximum_length 20; # maximum padding length.
        randomize off;  # enable randomize length.
        strict_check off; # enable strict check.
        exclusive_tail off; # extract last one octet.
}

remote A.A.A.A {
        exchange_mode main;
        situation identity_only;
        lifetime time 28800 sec ; # sec,min,hour
        proposal {
                encryption_algorithm 3des ;
                hash_algorithm sha1 ;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo address b.b.b.b/b[any] any address a.a.a.a/a[any] any {
        pfs_group 2;
        lifetime time 3600 sec ;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

3.Next need to write to the file /etc/racoon /setkey.conf  following

#! /usr/sbin/setkey -f flush;

spdflush;
spdadd b.b.b.b/b[any] a.a.a.a/a[any] any -P out ipsec esp/tunnel/B.B.B.B-A.A.A.A/require;
spdadd a.a.a.a/a[any] b.b.b.b/b[any] any -P in ipsec esp/tunnel/A.A.A.A-B.B.B.B/require;

3.In the file  /etc/racoon/psk.txt written Pre-Shared Key

A.A.A.A nnnnnnn 

and establishes the rights  600

# chmod 0600 /etc/racoon/psk.txt

4.Now you need to add rules for the firewall, for this in the file /etc/firewall.user need to add

iptables -A input_rule -p esp -s A.A.A.A -j ACCEPT # allow IPSEC
iptables -A input_rule -p udp -s A.A.A.A --dport 500 -j ACCEPT # allow ISAKMP
iptables -A input_rule -p udp -s A.A.A.A --dport 4500 -j ACCEPT # allow NAT-T
iptables -t nat -A postrouting_rule -d a.a.a.a/a -j ACCEPT

and restart it

# /etc/init.d/firewall restart

Actually you are done, you now need to connect.
1.And here's now:). To work racoon-and requires the following modules af_key, esp4, ah4, authenc, xfrm4_tunnel, xfrm4_mode_tunnel. They are loaded with the command insmod

# insmod af_key
# insmod esp4
# insmod ah4
# insmod xfrm4_tunnel
# insmod authenc
# insmod xfrm4_mode_tunnel

2.Now you need to create an alias for an interface wan, who will serve as a gateway to the network

# ifconfig eth1:0 b.b.b.b netmask 255.255.255.0

3.Next, create a working directory

# mkdir /var/racoon

4.Now you can run racoon

# racoon

If you must run racoon in debug mode, then you need to execute this command with a key-Fd

# racoon -Fd

5.Run setkey

# setkey -f /etc/racoon/setkey.conf

6.And creates a connection

# racoonctl vpn-connect A.A.A.A

All tunnel works. If the tunnel does not work, then see the output of the daemon racoon-Fd
Now you can create a init script in the directory / etc / init.d to automatically raise the tunnel, about how to do it, I'll explain later.

  • 29 октября 2015 г. 16:19. Posted by Maxim Admin Цитировать #599
    antinari wrote:
    antinari wrote:
    Уже давненько не используют такие роутеры. Современные куда проще настроить, там почти всё на автомате.
    IPSec На автомате? Да и причем тут железо? Какая разница на чем openWRT запускать, да хоть на x86.
  • 29 октября 2015 г. 16:19. Posted by antinari Цитировать #598
    Устарели они Уже давненько не используют такие роутеры. Современные куда проще настроить, там почти всё на автомате.
  • 29 октября 2015 г. 16:19. Posted by Цитировать #597
    Вы уверены? Всем привет! Вы всегда уверены что правы?
  • 29 октября 2015 г. 16:19. Posted by Цитировать #333
    собрал все норм работает,спс

Пожалуйста войдите, что-бы оставить коментарий.
Нет акаунта? Регистрация