Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:strongswan-apdesk [2026/01/11 21:00] – [Defining a IKEv2+IPsec per AP] systemtechnical:strongswan-apdesk [2026/01/12 06:22] (current) – [Required Items] system
Line 3: Line 3:
   * The MESHdesk firmware includes support for IKEv2+IPsec since Jan 2026.   * The MESHdesk firmware includes support for IKEv2+IPsec since Jan 2026.
   * When you build the firmware make sure you include:   * When you build the firmware make sure you include:
-      * Network -> VPN -> StrongSwan -> strongswan-defaul (Meta Package)+      * Network -> VPN -> StrongSwan -> strongswan-default (Meta Package)
       * Network -> xfrm (Needed for route based IPsec)       * Network -> xfrm (Needed for route based IPsec)
   * To make those packages appear in the available list of packages you need to insall them into the SDK   * To make those packages appear in the available list of packages you need to insall them into the SDK
Line 10: Line 10:
 ./scripts/feeds install xfrm ./scripts/feeds install xfrm
 </code> </code>
 +
 +<WRAP center round tip 100%>
 +  * Note that StrongSwan might not fit on devices with limited flash.
 +  * Fortunately OpenWrt can also be running as a VM.
 +  * In our setup we created a virtual setup in VirtualBox and ran an OpenWrt instance which are then configured using APdesk
 +</WRAP>
  
 ----------- -----------
Line 22: Line 28:
 |VPN Type    |IKEv2+IPsec             | |VPN Type    |IKEv2+IPsec             |
 |Server    |FQDN or IP Addres of StrongSwan server |   | |Server    |FQDN or IP Addres of StrongSwan server |   |
-|Server ID  | The unique value when server cert was generated  |In our case it was //- -san cloud.radiusdesk.com// +|Server ID  |Unique ID when server cert was generated  |In our case it was //- -san cloud.radiusdesk.com// 
-|Xfrm Id Nr | Match **if_id_*** configured on the server  |  |+|Xfrm Id Nr |Match **if_id_*** configured on the server  |  | 
 +|Endpoint IP |Client's fixed IP Address  |Should be on the server's subnet e.g. 10.3.x.x | 
 +|Gateway IP |The IP Address from server prep script  |  | 
 +|Client ID |Unique ID per Client when cert is created  |In our case it was //- -san carol@strongswan.org// 
 +|CA |CA certificate we created earlier  |  | 
 +|Certificate |Client certificate we created earlier   
 +|Key |Private key used to generate certificate  |  | 
 +|Proposals |list of cryto proposals   |e.g. aes128-sha1-modp2048 | 
 +|ESP Proposals |list of ESP proposals   |e.g. aes128-sha1-modp2048 
 + 
 +------------ 
 +===== Connection Info ===== 
 +  * The MESHdesk firmware records and reports the status and usage in the VPN tunnel. 
 +  * See screenshot below: 
 +{{:technical:ipsec:strongswan-02.png?nolink|}} 
 + 
 +------------ 
 +==== CLI Confirmation ==== 
 +  * We can use the swanctl program on OpenWrt to confirm the SA has been established: 
 +<code bash> 
 +root@SS-01:~# swanctl --list-sa 
 +plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available 
 +xfrm01: #10, ESTABLISHED, IKEv2, 8dca7286ebd18a28_i 45a64d9d5c71acec_r* 
 +  local  'carol@strongswan.org' @ 10.3.0.3[4500] [10.3.1.0] 
 +  remote 'cloud.radiusdesk.com' @ 164.160.89.129[4500] 
 +  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 
 +  established 1243s ago, rekeying in 12771s 
 +  tun_xfrm01: #10, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048 
 +    installed 2089s ago, rekeying in 1379s, expires in 1871s 
 +    in  c000ad9e (-|0x00000064),  22990 bytes,    38 packets,   237s ago 
 +    out cb6ad2be (-|0x00000064),   2457 bytes,    28 packets,   237s ago 
 +    local  0.0.0.0/0 
 +    remote 0.0.0.0/0 
 +</code> 
  
  • technical/strongswan-apdesk.1768158004.txt.gz
  • Last modified: 2026/01/11 21:00
  • by system