Differences

This shows you the differences between two versions of the page.

--- technical:strongswan-apdesk [2026/01/11 20:10] – created system
+++ technical:strongswan-apdesk [2026/01/12 06:22] (current) – [Required Items] system
@@ Line 1: / Line 1: @@
 ====== IKEv2+IPsec (StrongSwan) Support in APdesk and MESHdesk ======
-===== Introduction =====
+===== MESHdesk Firmware =====
-  * When installing StrongSwan on a server, the item that takes the most preparation is the setup of the PKI.
+  * The MESHdesk firmware includes support for IKEv2+IPsec since Jan 2026.
-  * Although it is easy once you figured it out, because StrongSwan has been around for such a long time there are lots of outdated or over complicated documentation out there.
+  * When you build the firmware make sure you include:
-  * Even when I asked one of the AI engines for instructions it provided me with old outdated instructions.
+      * Network -> VPN -> StrongSwan -> strongswan-default (Meta Package)
-  * The following instructions should work well on any of the recent versions of StrongSwan
+      * Network -> xfrm (Needed for route based IPsec)
+  * To make those packages appear in the available list of packages you need to insall them into the SDK
+<code bash>
+./scripts/feeds install strongswan
+./scripts/feeds install xfrm
+</code>
+<WRAP center round tip 100%>
+  * Note that StrongSwan might not fit on devices with limited flash.
+  * Fortunately OpenWrt can also be running as a VM.
+  * In our setup we created a virtual setup in VirtualBox and ran an OpenWrt instance which are then configured using APdesk
+</WRAP>
 -----------
+===== Defining a IKEv2+IPsec per AP =====
+  * See the screenshot below and the discussion which follows on the various items required:
+  * {{:technical:ipsec:strongswan-01.png?nolink}}
+------
+==== Required Items ====
+^ Item      ^ Description       ^ Comment          ^
+|Name    |Descriptive name for VPN connection     |         |
+|VPN Type    |IKEv2+IPsec     |         |
+|Server    |FQDN or IP Addres of StrongSwan server |   |
+|Server ID  |Unique ID when server cert was generated  |In our case it was //- -san cloud.radiusdesk.com//  |
+|Xfrm Id Nr |Match **if_id_*** configured on the server  |  |
+|Endpoint IP |Client's fixed IP Address  |Should be on the server's subnet e.g. 10.3.x.x |
+|Gateway IP |The IP Address from server prep script  |  |
+|Client ID |Unique ID per Client when cert is created  |In our case it was //- -san carol@strongswan.org//  |
+|CA |CA certificate we created earlier  |  |
+|Certificate |Client certificate we created earlier   |  |
+|Key |Private key used to generate certificate  |  |
+|Proposals |list of cryto proposals   |e.g. aes128-sha1-modp2048 |
+|ESP Proposals |list of ESP proposals   |e.g. aes128-sha1-modp2048  |
+------------
+===== Connection Info =====
+  * The MESHdesk firmware records and reports the status and usage in the VPN tunnel.
+  * See screenshot below:
+{{:technical:ipsec:strongswan-02.png?nolink|}}
+------------
+==== CLI Confirmation ====
+  * We can use the swanctl program on OpenWrt to confirm the SA has been established:
+<code bash>
+root@SS-01:~# swanctl --list-sa
+plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
+xfrm01: #10, ESTABLISHED, IKEv2, 8dca7286ebd18a28_i 45a64d9d5c71acec_r*
+  local  'carol@strongswan.org' @ 10.3.0.3[4500] [10.3.1.0]
+  remote 'cloud.radiusdesk.com' @ 164.160.89.129[4500]
+  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+  established 1243s ago, rekeying in 12771s
+  tun_xfrm01: #10, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
+    installed 2089s ago, rekeying in 1379s, expires in 1871s
+    in  c000ad9e (-|0x00000064),  22990 bytes,    38 packets,   237s ago
+    out cb6ad2be (-|0x00000064),   2457 bytes,    28 packets,   237s ago
+    local  0.0.0.0/0
+    remote 0.0.0.0/0
+</code>