Solved FreeBSD IPSec Site-to-Site VPN with TP-Link TL-R600VPN using strongSwan

VladiBG

Daemon

Reaction score: 541
Messages: 1,177

topology.png


FreeBSDTP-Link
WAN192.0.2.105/24198.51.100.106/24
LAN10.0.1.1/2410.0.0.1/24

TP-Link config
IKE Policy
Auth: SHA1
Encryption: AES256
DH Group: DH2
psk: mysupersecret
SA lifetime: 28800
DPD: enable
DPD Interval: 60

IPsec Policy
Security Protocol: ESP
Auth Algorithm: SHA1
Encryption Algorithm: AES256
PFS Group: DH2
Lifetime 28800

Local Subnet: 10.0.0.0/24
Remote Subnet: 10.0.1.0/24
Remote Gw: 192.0.2.105
1588439825869.png1588439862794.png

FreeBSD config

Install
security/strongswan

/usr/local/etc/ipsec.conf
Code:
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        strictcrlpolicy=no
        #uniqueids = no

# Add connections here.

conn R600VPN
        keyexchange=ikev1
        ikelifetime=28800
        lifetime=3600
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1-modp1024!
        auto=add
        left=192.0.2.105
        leftid=192.0.2.105
        leftauth=psk
        rightauth=psk
        leftsubnet=10.0.1.0/24
        leftfirewall=yes
        right=198.51.100.106
        rightid=198.51.100.106
        rightsubnet=10.0.0.0/24
        dpdaction=clear
        rekey=no #this must be Yes

/usr/local/etc/ipsec.secrets
Code:
192.0.2.105 198.51.100.106 : PSK "mysupersecret"

sysrc strongswan_enable="yes"
Also you need to enable the forwarding (routing)
sysctl net.inet.ip.forwarding=1 and to make it persistent after restart add it to /etc/rc.conf
sysrc gateway_enable="yes"

Start the strongswan
service strongswan start

check the status on FreeBSD and TP-LINK (under IPsec VPN->SA List)
service strongswan statusall
Code:
Status of IKE charon daemon (strongSwan 5.8.4, FreeBSD 12.1-RELEASE-p3, amd64):
  uptime: 18 minutes, since May 02 20:17:08 2020
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
  10.0.1.1
  192.0.2.105
Connections:
     R600VPN:  192.0.2.105...198.51.100.106  IKEv1, dpddelay=30s
     R600VPN:   local:  [192.0.2.105] uses pre-shared key authentication
     R600VPN:   remote: [198.51.100.106] uses pre-shared key authentication
     R600VPN:   child:  10.0.1.0/24 === 10.0.0.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
     R600VPN[1]: ESTABLISHED 18 minutes ago, 192.0.2.105[192.0.2.105]...198.51.100.106[198.51.100.106]
     R600VPN[1]: IKEv1 SPIs: f6d8e8b84c189218_i 736e6249239400ef_r*, rekeying disabled
     R600VPN[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     R600VPN{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf186482_i 0b180379_o
     R600VPN{1}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i (0 pkts, 1089s ago), 0 bytes_o, rekeying disabled
     R600VPN{1}:   10.0.1.0/24 === 10.0.0.0/24

For troubleshooting:
Enable filelog in strongSwan

/usr/local/etc/strongswan.d/charon-logging.conf

Code:
charon {

    # Section to define file loggers, see LOGGER CONFIGURATION in
    # strongswan.conf(5).
    filelog {

        # <name> may be the full path to the log file if it only contains
        # characters permitted in section names. Is ignored if path is
        # specified.
        mylog {

            # Loglevel for a specific subsystem.
            # <subsystem> = <default>

            # If this option is enabled log entries are appended to the existing
            # file.
            append = yes

            # Default loglevel.
            default = 1

            # Enabling this option disables block buffering and enables line
            # buffering.
            # flush_line = no

            # Prefix each log entry with the connection name and a unique
            # numerical identifier for each IKE_SA.
            # ike_name = no

            # Optional path to the log file. Overrides the section name. Must be
            # used if the path contains characters that aren't allowed in
            # section names.
            path = /var/log/charon.log

            # Adds the milliseconds within the current second after the
            # timestamp (separated by a dot, so time_format should end with %S
            # or %T).
            # time_add_ms = no

            # Prefix each log entry with a timestamp. The option accepts a
            # format string as passed to strftime(3).
            time_format = %b %e %T

         }

    }

    # Section to define syslog loggers, see LOGGER CONFIGURATION in
    # strongswan.conf(5).
    syslog {

        # Identifier for use with openlog(3).
        # identifier =

        # <facility> is one of the supported syslog facilities, see LOGGER
        # CONFIGURATION in strongswan.conf(5).
        # <facility> {

            # Loglevel for a specific subsystem.
            # <subsystem> = <default>

            # Default loglevel.
            # default = 1

            # Prefix each log entry with the connection name and a unique
            # numerical identifier for each IKE_SA.
            # ike_name = no

        # }

    }

}

setkey -DP
setkey -D

strongswan will install the routing on connection so there's no need of static route
netstat -rn4

Code:
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.0.2.1      UGS       em1
10.0.0.0/24        198.51.100.106    US        em1
10.0.1.0/24        link#1             U           em0
10.0.1.1           link#1             UHS         lo0
127.0.0.1          link#2             UH          lo0
192.0.2.0/24       link#3             U         em1
192.0.2.105        link#3             UHS         lo0

Check the ESP traffic count
netstat -s -p esp

esp:
0 packets shorter than header shows
0 packets dropped; protocol family not supported
0 packets dropped; no TDB
0 packets dropped; bad KCR
0 packets dropped; queue full
0 packets dropped; no transform
0 packets dropped; bad ilen
0 replay counter wraps
0 packets dropped; bad encryption detected
0 packets dropped; bad authentication detected
0 possible replay packets detected
267 packets in
267 packets out
0 packets dropped; invalid TDB
17088 bytes in
16020 bytes out
0 packets dropped; larger than IP_MAXPACKET
0 packets blocked due to policy
0 crypto processing failures
0 tunnel sanity check failures
ESP output histogram:
rijndael-cbc: 534

EDIT:
rekey=yes will fix life duration error in
type=Life Duration, flag=0x8000
 
Last edited:
Top