Configuring IPSec on the router WRT160NL with OpenWRT.

Hello, trambroidyan’s!
I would like to talk about how to configure IPSec tunnels on the router WRT160NLrunning OpenWRT.
Many may argue that the instructions for setting up IPSec'a fully online, but setting under OpenWRT on this router has its own characteristics.
Thus, we have a connection with the following parameters.

Address of the remote server A.A.A.A
Remote network a.a.a.a / a
Address of the router B.B.B.B
LAN b.b.b.b / b

Phase 1

PSK nnnnnnn
PSK nnnnnnn
Encryption algorithm (encryption_algorithm) 3des
Hashing algorithm (hash_algorithm) sha1
Diffie-Hellman_group modp1024
Key lifetime (lifetime) 28 800 sec

Phase 2

Diffie-Hellman_group modp1024
Encryption algorithm (encryption_algorithm) 3des
authentication_algorithm) hmac_sha1
Compression algorithm (compression_algorithm) deflate
Key lifetime (lifetime) 3,600 sec
We proceed to set up.
1.Ustanavlivaem needed packages

# opkg update
# opkg install ipsec-tools kmod-crypto-authenc kmod-ipsec kmod-ipsec4

2.Edit configuration file /etc/racoon.conf and present it to the form

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path include "/etc/racoon";
log debug2;
padding {
        maximum_length 20; # maximum padding length.
        randomize off;  # enable randomize length.
        strict_check off; # enable strict check.
        exclusive_tail off; # extract last one octet.
}

remote A.A.A.A {
        exchange_mode main;
        situation identity_only;
        lifetime time 28800 sec ; # sec,min,hour
        proposal {
                encryption_algorithm 3des ;
                hash_algorithm sha1 ;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo address b.b.b.b/b[any] any address a.a.a.a/a[any] any {
        pfs_group 2;
        lifetime time 3600 sec ;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

3.Next need to write to the file /etc/racoon /setkey.conf  following

#! /usr/sbin/setkey -f flush;

spdflush;
spdadd b.b.b.b/b[any] a.a.a.a/a[any] any -P out ipsec esp/tunnel/B.B.B.B-A.A.A.A/require;
spdadd a.a.a.a/a[any] b.b.b.b/b[any] any -P in ipsec esp/tunnel/A.A.A.A-B.B.B.B/require;

3.In the file  /etc/racoon/psk.txt written Pre-Shared Key

A.A.A.A nnnnnnn 

and establishes the rights  600

# chmod 0600 /etc/racoon/psk.txt

4.Now you need to add rules for the firewall, for this in the file /etc/firewall.user need to add

iptables -A input_rule -p esp -s A.A.A.A -j ACCEPT # allow IPSEC
iptables -A input_rule -p udp -s A.A.A.A --dport 500 -j ACCEPT # allow ISAKMP
iptables -A input_rule -p udp -s A.A.A.A --dport 4500 -j ACCEPT # allow NAT-T
iptables -t nat -A postrouting_rule -d a.a.a.a/a -j ACCEPT

and restart it

# /etc/init.d/firewall restart

Actually you are done, you now need to connect.
1.And here's now:). To work racoon-and requires the following modules af_key, esp4, ah4, authenc, xfrm4_tunnel, xfrm4_mode_tunnel. They are loaded with the command insmod

# insmod af_key
# insmod esp4
# insmod ah4
# insmod xfrm4_tunnel
# insmod authenc
# insmod xfrm4_mode_tunnel

2.Now you need to create an alias for an interface wan, who will serve as a gateway to the network

# ifconfig eth1:0 b.b.b.b netmask 255.255.255.0

3.Next, create a working directory

# mkdir /var/racoon

4.Now you can run racoon

# racoon

If you must run racoon in debug mode, then you need to execute this command with a key-Fd

# racoon -Fd

5.Run setkey

# setkey -f /etc/racoon/setkey.conf

6.And creates a connection

# racoonctl vpn-connect A.A.A.A

All tunnel works. If the tunnel does not work, then see the output of the daemon racoon-Fd
Now you can create a init script in the directory / etc / init.d to automatically raise the tunnel, about how to do it, I'll explain later.

English

Comments

helensosa655 (not verified)
Ещё не глупый's picture
собрал все норм работает,спс

собрал все норм работает,спс

coatieddeld (not verified)
Ещё не глупый's picture
Вы уверены?

Всем привет! Вы всегда уверены что правы?

antinari
antinari's picture
Устарели они

Уже давненько не используют такие роутеры. Современные куда проще настроить, там почти всё на автомате.

root
root's picture
antinari wrote:

antinari wrote:

Уже давненько не используют такие роутеры. Современные куда проще настроить, там почти всё на автомате.

IPSec На автомате? Да и причем тут железо? Какая разница на чем openWRT запускать, да хоть на x86.