KB: Connecting OpenWRT/LEDE router to Azure Virtual Network Gateway (IKEv2)

 

Step1: Install StrongSwan and other packages

  • strongswan-minimal
  • ip-full
  • kmod-ip-vti
  • vtiv4

Step 2: Config IPSec

/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no

conn LONDON
auto=start
type=tunnel
aggressive=no
ike=3des-sha1-modp1024
esp=3des-sha1
mark=42
mark_in=42
mark_out=42
left={router WAN IP}
leftsubnet=192.168.1.0/24
leftid={router WAN IP}
leftauth=psk
leftfirewall=yes

right={Azure Virtual Network Gateway public IP}
rightsubnet={Azure Virtual Network, e.g. 10.1.0.0/24}
rightid={Azure Virtual Network Gateway public IP}
rightauth=psk
rightfirewall=yes

/etc/ipsec.secret

# /etc/ipsec.secrets - strongSwan IPsec secrets file
{router WAN IP} {Azure Virtual Network Gateway public IP} : PSK "your_secret"

/etc/strongswan.conf

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}
include strongswan.d/*.conf

 

Step 3: Config VTI interface for routing

ip tunnel add vti0 local {router IP} remote {Azure gateway public IP} mode vti key 42
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.1.0.0/24 dev vti0

 

Other useful commands:

ipsec restart
ipsec statusall
ip -s xfrm state
ip route list table 220


Uncomment the followings in /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Apply changes
sysctl -p
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s