The following is an example of configuring IKEv2 in OpenWRT:
Note: The following commands need to be run as the 'root' user from the command line interface (CLI).
1. edit /etc/ipsec.conf
Note: Change the following variables as follows:
config setup
strictcrlpolicy=no
uniqueids=never
cachecrls=no
conn cpe-p2s-vpn
right=@warp.sho.wedgenetworks.com
rightid=@warp.sho.wedgenetworks.com
rightsubnet=0.0.0.0/0
leftsourceip=%config
leftid=<USER NAME>
leftsubnet=0.0.0.0/0
leftauth=eap-mschapv2
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=start
keyexchange=ikev2
type=tunnel
eap_identity=%identity
leftupdown=/root/wedge-firewall.updown.sh
conn lan-passthrough
leftsubnet=<192.168.1.0/24> # Replace with your LAN subnet
rightsubnet=<192.168.1.0/24> # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
2. edit /etc/ipsec.secrets
Note: Change the following variables as follows:
: RSA wedgearp-ca.pem
<USER NAME> : EAP <USER NAME and PASSWORD required>
3. root@OpenWrt:~# vi /root/wedge-firewall.updown.sh
#!/bin/ash
LEFTSOURCEIP=${PLUTO_MY_CLIENT%/*}
LEFTSUBNET=`ip addr show br-lan | grep "inet " | awk '{print \$2}' | sed 's/\d*\//0\//'`
case $PLUTO_VERB in
up-client-v6)
echo "Adding warp routing to ipsec tunnel"
iptables -t nat -I POSTROUTING -s $LEFTSUBNET -o $PLUTO_INTERFACE -j SNAT --to-source $LEFTSOURCEIP
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
;;
down-client-v6)
echo "Removing warp routing to ipsec tunnel"
iptables -t nat -D POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -D POSTROUTING 1
;;
up-client)
echo "Adding warp routing to ipsec tunnel"
iptables -t nat -I POSTROUTING 1 -s $LEFTSUBNET -o $PLUTO_INTERFACE -j SNAT --to-source $LEFTSOURCEIP
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
;;
down-client)
echo "Removing warp routing to ipsec tunnel"
iptables -t nat -D POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -D POSTROUTING 1
;;
esac 2>&1
4. restart vpn service on openwrt (when run as root user)
ipsec stop
ipsec start
5. check if connection is successful (when run as root user)
ipsec status
ipsec statusall
Note: WedgeARP™ Secure Home Office assigns a static IP address per user tunnel. A user can only have ONE active tunnel at a time. The most recent connection will become the active tunnel for the user.
Caution: Please note that you will need to configure your device using the generated settings by yourself and at your own risk.
For further information, please contact Wedge Sales Support Centre at: 1-888-276-5356.