Posted: Thu May 18, 2017 20:45 Post subject: StrongSwan and IPSEC
Information about StrongSwan and it's use in DD-WRT appears to be thin on the ground in the forum. I'd like to be able to use DD-WRT as an IPSEC client gateway to a remote VPN server where my router effectively acts as a single VPN egress point for all LAN clients that want to go via that route..that's the dream at least.
StrongSwan is going to be great if I can get it working on my router because it has everything I need that the OpenVPN client doesn't support for my remote VPN server: IKEV2
As far as I can tell StrongSwan actually is included as part of DD-WRT. The tell tale signs are in the repo and I can see that it's still occasionally being maintained by BrainSlayer here: http://svn.dd-wrt.com/browser/src/router/strongswan
The thing that I don't seem to be able to find any information about is whether StrongSwan is compiled and installed as part of a DD-WRT firmware build. I've searched the DD-WRT image file system as flashed to my router and there's no sign of "ipsec" in the file system at all which would indicate it's not included..so if that's the case, why is StrongSwan there and being maintained in the repo at all?
Thanks to anyone who can shed some light on this mystery
Joe
Posted: Fri May 19, 2017 5:26 Post subject: Re: StrongSwan and IPSEC
jlippa wrote:
Information about StrongSwan and it's use in DD-WRT appears to be thin on the ground in the forum. I'd like to be able to use DD-WRT as an IPSEC client gateway to a remote VPN server where my router effectively acts as a single VPN egress point for all LAN clients that want to go via that route..that's the dream at least.
StrongSwan is going to be great if I can get it working on my router because it has everything I need that the OpenVPN client doesn't support for my remote VPN server: IKEV2
As far as I can tell StrongSwan actually is included as part of DD-WRT. The tell tale signs are in the repo and I can see that it's still occasionally being maintained by BrainSlayer here: http://svn.dd-wrt.com/browser/src/router/strongswan
The thing that I don't seem to be able to find any information about is whether StrongSwan is compiled and installed as part of a DD-WRT firmware build. I've searched the DD-WRT image file system as flashed to my router and there's no sign of "ipsec" in the file system at all which would indicate it's not included..so if that's the case, why is StrongSwan there and being maintained in the repo at all?
Thanks to anyone who can shed some light on this mystery
Joe
Posted: Fri May 19, 2017 7:22 Post subject: Re: StrongSwan and IPSEC
<Kong> wrote:
DD-WRT comes with softether, which is an IPSEC client/server.
That's good to know, thanks for the pointer.
Unfortunately there's no IKEv2 support in SoftEtherVPN at the moment so this isn't going to work for me until this feature gets implemented upstream and is then later updated into DD-WRT. There is an open issue about this one: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/13
For the record where this ended up, I decided getting StrongSwan built, installed, configured and working in DD-WRT was going to be far too much effort than it was worth.
It still seems as though there's not much information about this and I was left unsure whether it would be worth investing the time working out what path to take because it might turn out to be wasted time. Add to this that the DD-WRT development and build guide is to be frank scary and rambling, I called abort: http://www.dd-wrt.com/wiki/index.php/Development
I bought a FriendlyArm Neo2 board, heat sink, case, SD card and PSU for ~£30, installed Armbian and built and installed StrongSwan on there. Armbian wasn't entirely plain sailing and I did need to port a linux core kernel patch into an arm compatible form and apply this patch to get ipsec working, but the Armbian build system did make things easy once I'd worked out what patch was needed.
This feels like a better solution because Armbian is based on mainline Ubuntu 16.04 linux so the Neo2 is effectively running as a headless Ubuntu linux server and has all the goodies available to it that are available to all full fat linux distros.
I'm still a DD-WRT user and fan but sometimes it's worth considering alternatives if things are too difficult.
Looks like Kong has integrated StrongSwan into dd-wrt with integrated FreeRadius authentication. Information on how to get everything working is scarce though. _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
To Joe's original question, the Strongswan files are in /jffs/etc/ on Kong's build. Not sure if that's the same for the main Brainslayer branch. "find / -name ipsec.conf" or "find / -name strongswan.conf" should pinpoint them quickly.