Although it’s not recommended for large scale IPsec deployments because the Pre-Shared Key must be shared among users, IKEv1 with PSK and Xauth is an easy-to-deploy option and is well supported by mobile devices powered by iOS and Android. Moreover, IKEv2 is not supported by the built-in VPN client in Android yet.
In this tutorial, we’ll install strongSwan 5.3.3 in openwrt 15.05, configure IKEv1 with PSK and Xauth, and finally setup the built-in VPN clients in Android and iOS so they can connect to it.
First of all, install necessary strongSwan packages in openwrt 15.05:
root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install strongswan-minimal strongswan-mod-xauth-generic
To setup IKEv1 with PSK and Xauth, we only need to edit the following two configuration files.
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn roadwarrior keyexchange=ikev1 left=%any firstname.lastname@example.org leftsubnet=0.0.0.0/0 leftauth=psk leftfirewall=yes right=%any rightauth=psk rightauth2=xauth rightsourceip=10.0.2.0/24 rightdns=10.0.0.1 auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file openwrt.lan %any : PSK "WhobByewg[cevHatyefunhevbydKeAv9" wenzhuo : XAUTH "Kagg#Od8"
We must choose strong PSK and passwords to ensure the security of IPsec connections. The example PSK and password shown above, which are generated using apg, are very good examples.
If you want to connect from the WAN side, add the following configuration to /etc/config/firewall:
# allow incoming IPsec connections config rule option src wan option proto esp option target ACCEPT config rule option src wan option proto udp option dest_port 500 option target ACCEPT config rule option src wan option proto udp option dest_port 4500 option target ACCEPT config rule option src wan option proto ah option target ACCEPT
and then restart the firewall:
root@OpenWrt:~# /etc/init.d/firewall restart
Now stop the IPsec IKE daemon and restart it in foreground, so that we can immediately see its log messages on the ssh console:
root@OpenWrt:~# ipsec stop
root@OpenWrt:~# ipsec start --nofork
We can check the detailed information about established and configured connections by typing the ipsec status and statusall commands.
root@OpenWrt:~# ipsec status root@OpenWrt:~# ipsec statusall
Open Settings / Wireless & networks (… more) / VPN, tap the “+” sign in the upper-right corner of the Settings screen. On the Edit VPN profile dialog that pops up, enter the profile Name, select IPSec Xauth PSK in the Type drop-down menu, and then enter Server address and IPSec pre-shared key. Tap SAVE.
Open Settings / VPN, tap “Add VPN Configuration…“. On the dialog that pops up, choose IPSec in the Type drop-down menu, and then tap Back. Enter all the necessary information: profile name in Descrption, server address in Server, username in Account, account password in Password and finally the PSK in Secret. Tap Done.