WedgeARP™ Secure Home Office Configuration - OpenWRT Example

The following is an example of configuring IKEv2 in OpenWRT:

Note: The following commands need to be run as the 'root' user from the command line interface (CLI).

1.  edit /etc/ipsec.conf

Note:  Change the following variables as follows:

• #PUBLIC_IP# with the external public IP address of the device
• #INTERNAL_SUBNET# with the internal private IP subnet of the device (e.g. 192.168.1.0/24)

config setup
    strictcrlpolicy=no
    uniqueids=never
    cachecrls=no

conn cpe-p2s-vpn
    right=@warp.sho.wedgenetworks.com
    rightid=@warp.sho.wedgenetworks.com
    rightsubnet=0.0.0.0/0
    leftsourceip=%config
    leftid=<USER NAME>
    leftsubnet=0.0.0.0/0
    leftauth=eap-mschapv2
    ike=aes256-sha2_256-modp1024!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=start
    keyexchange=ikev2
    type=tunnel
    eap_identity=%identity
    leftupdown=/root/wedge-firewall.updown.sh

conn lan-passthrough
    leftsubnet=<192.168.1.0/24> # Replace with your LAN subnet
    rightsubnet=<192.168.1.0/24> # Replace with your LAN subnet
    authby=never # No authentication necessary
    type=pass # passthrough
    auto=route # no need to ipsec up lan-passthrough

2.  edit /etc/ipsec.secrets

Note:  Change the following variables as follows:

• #PUBLIC_IP# with the external public IP address of the device
• #PASSWORD# with the pre-shared key password provided by Wedge Networks
• wedgearp-ca.pem needs to be copied to /etc/ipsec.d/certs/

: RSA wedgearp-ca.pem

<USER NAME> : EAP <USER NAME and PASSWORD required>

3.  root@OpenWrt:~# vi /root/wedge-firewall.updown.sh

#!/bin/ash

LEFTSOURCEIP=${PLUTO_MY_CLIENT%/*}
LEFTSUBNET=`ip addr show br-lan | grep "inet " | awk '{print \$2}' | sed 's/\d*\//0\//'`

case $PLUTO_VERB in
up-client-v6)
echo "Adding warp routing to ipsec tunnel"
iptables -t nat -I POSTROUTING -s $LEFTSUBNET -o $PLUTO_INTERFACE -j SNAT --to-source $LEFTSOURCEIP
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
;;
down-client-v6)
echo "Removing warp routing to ipsec tunnel"
iptables -t nat -D POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -D POSTROUTING 1
;;
up-client)
echo "Adding warp routing to ipsec tunnel"
iptables -t nat -I POSTROUTING 1 -s $LEFTSUBNET -o $PLUTO_INTERFACE -j SNAT --to-source $LEFTSOURCEIP
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
;;
down-client)
echo "Removing warp routing to ipsec tunnel"
iptables -t nat -D POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -D POSTROUTING 1
;;
esac 2>&1

4.  restart vpn service on openwrt (when run as root user)
ipsec stop
ipsec start

5.  check if connection is successful (when run as root user) 
ipsec status
ipsec statusall

Note:  WedgeARP™ Secure Home Office assigns a static IP address per user tunnel.  A user can only have ONE active tunnel at a time.  The most recent connection will become the active tunnel for the user.  

Caution: Please note that you will need to configure your device using the generated settings by yourself and at your own risk.

For further information, please contact Wedge Sales Support Centre at: 1-888-276-5356.