Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:strongswan-apdesk [2026/01/11 21:14] – [Required Items] systemtechnical:strongswan-apdesk [2026/01/12 06:22] (current) – [Required Items] system
Line 3: Line 3:
   * The MESHdesk firmware includes support for IKEv2+IPsec since Jan 2026.   * The MESHdesk firmware includes support for IKEv2+IPsec since Jan 2026.
   * When you build the firmware make sure you include:   * When you build the firmware make sure you include:
-      * Network -> VPN -> StrongSwan -> strongswan-defaul (Meta Package)+      * Network -> VPN -> StrongSwan -> strongswan-default (Meta Package)
       * Network -> xfrm (Needed for route based IPsec)       * Network -> xfrm (Needed for route based IPsec)
   * To make those packages appear in the available list of packages you need to insall them into the SDK   * To make those packages appear in the available list of packages you need to insall them into the SDK
Line 10: Line 10:
 ./scripts/feeds install xfrm ./scripts/feeds install xfrm
 </code> </code>
 +
 +<WRAP center round tip 100%>
 +  * Note that StrongSwan might not fit on devices with limited flash.
 +  * Fortunately OpenWrt can also be running as a VM.
 +  * In our setup we created a virtual setup in VirtualBox and ran an OpenWrt instance which are then configured using APdesk
 +</WRAP>
  
 ----------- -----------
Line 24: Line 30:
 |Server ID  |Unique ID when server cert was generated  |In our case it was //- -san cloud.radiusdesk.com//  | |Server ID  |Unique ID when server cert was generated  |In our case it was //- -san cloud.radiusdesk.com//  |
 |Xfrm Id Nr |Match **if_id_*** configured on the server  |  | |Xfrm Id Nr |Match **if_id_*** configured on the server  |  |
-|Endpoint IP |Unique ID per Client when cert is created  |In our case it was //- -san carol@strongswan.org//  |+|Endpoint IP |Client's fixed IP Address  |Should be on the server's subnet e.g. 10.3.x.x |
 |Gateway IP |The IP Address from server prep script  |  | |Gateway IP |The IP Address from server prep script  |  |
 +|Client ID |Unique ID per Client when cert is created  |In our case it was //- -san carol@strongswan.org//  |
 |CA |CA certificate we created earlier  |  | |CA |CA certificate we created earlier  |  |
 |Certificate |Client certificate we created earlier    | |Certificate |Client certificate we created earlier    |
 |Key |Private key used to generate certificate  |  | |Key |Private key used to generate certificate  |  |
 +|Proposals |list of cryto proposals   |e.g. aes128-sha1-modp2048 |
 +|ESP Proposals |list of ESP proposals   |e.g. aes128-sha1-modp2048  |
 +
 +------------
 +===== Connection Info =====
 +  * The MESHdesk firmware records and reports the status and usage in the VPN tunnel.
 +  * See screenshot below:
 +{{:technical:ipsec:strongswan-02.png?nolink|}}
 +
 +------------
 +==== CLI Confirmation ====
 +  * We can use the swanctl program on OpenWrt to confirm the SA has been established:
 +<code bash>
 +root@SS-01:~# swanctl --list-sa
 +plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
 +xfrm01: #10, ESTABLISHED, IKEv2, 8dca7286ebd18a28_i 45a64d9d5c71acec_r*
 +  local  'carol@strongswan.org' @ 10.3.0.3[4500] [10.3.1.0]
 +  remote 'cloud.radiusdesk.com' @ 164.160.89.129[4500]
 +  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 +  established 1243s ago, rekeying in 12771s
 +  tun_xfrm01: #10, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
 +    installed 2089s ago, rekeying in 1379s, expires in 1871s
 +    in  c000ad9e (-|0x00000064),  22990 bytes,    38 packets,   237s ago
 +    out cb6ad2be (-|0x00000064),   2457 bytes,    28 packets,   237s ago
 +    local  0.0.0.0/0
 +    remote 0.0.0.0/0
 +</code>
 +
  
  • technical/strongswan-apdesk.1768158887.txt.gz
  • Last modified: 2026/01/11 21:14
  • by system