Upgraded to 7.11 on RUT241 and IPSEC VPN fails

pumba2306 · November 27, 2024, 7:03pm

Hi
I upgraded a working RUT241 from 7.10.4 to 7.11
The IPSEC vpn was working before the upgrade and after the upgrade it does not start.
I have installed tcpdump and using that i see that no packets are sent towards the peer address.
I suspect that is has something to do with the move to swanctl?

flebourse · November 27, 2024, 7:46pm

Hello,
IPsec works for me. What is the output of swanmon list-sas | jq ?

Regards,

pumba2306 · November 28, 2024, 6:31am

The output of the command is: (jq is not installed on the device)
{“errors”:,“data”:}

The output is the same for all commands to swanmon.
Should i just delete the connecting and try to recreate it?

flebourse · November 28, 2024, 6:45am

Install jq the output of swanmon is hard to read:

opkg -e /etc/opkg/openwrt/distfeeds.conf update
opkg -e /etc/opkg/openwrt/distfeeds.conf install jq

Yes, “data”: is empty no tunnel appears to be defined.

pumba2306 · November 28, 2024, 7:10am

Hi
I installed jq
I delete the ipsec tunnel in the GUI and recreated it in the GUI.
Sorry to say it is the same result.
root@RUT241:~# swanmon list-sas | jq
{
“errors”: ,
“data”:
}

The config-file i found gives me no real indication of an error:
root@RUT241:~# swanmon list-sas | jq

generated by /etc/init.d/swanctl

config for ODK

connections {
ODK {
local_addrs = %any
remote_addrs = REMOTE_PEER
aggressive = 0
fragmentation = yes
local-psk {
auth = psk
}
remote-psk {
auth = psk
}
children {
ODK_c {
local_ts = 10.255.12.8/29
remote_ts = 10.82.120.12/32
start_action = trap
esp_proposals = aes256gcm16-ecp384,default
mode = tunnel
updown = /usr/lib/ipsec/_updown iptables
}
}
version = 2
mobike = yes
proposals = aes256gcm16-ecp384,default
dpd_delay = 0s
dpd_timeout = 90s
keyingtries = 0
}
}

secrets {
ike-ODK {
secret = 0xPASSWORD_HIDDEN
}
}
pools {
}

secrets {
}

flebourse · November 28, 2024, 7:15am

Are you sure about start_action ? Try with “start” instead.

pumba2306 · November 28, 2024, 7:33am

That config is what the GUI has created.
What should i do to try to change the parameter to get it working again.

flebourse · November 28, 2024, 7:38am

What do you have in /etc/config/ipsec ?

pumba2306 · November 28, 2024, 7:50am

config ipsec
option rtinstall_enabled ‘1’
option make_before_break ‘0’

config remote ‘ODK’
list transport ‘ODK_c’
option enabled ‘1’
option multiple_secrets ‘0’
option authentication_method ‘psk’
option pre_shared_key ‘0xPASSWORD_HIDDEN’
option gateway ‘REMOTE_PEER’
option force_crypto_proposal ‘0’
list crypto_proposal ‘ODK_ph1_1’

config connection ‘ODK_c’
option remote_firewall ‘0’
option route_based_ipsec ‘0’
option forceencaps ‘0’
option aggressive ‘0’
option defaultroute ‘0’
option mode ‘route’
option keyexchange ‘ikev2’
option type ‘tunnel’
option force_crypto_proposal ‘0’
option dpd ‘0’
list crypto_proposal ‘ODK_ph2_1’
list local_subnet ‘10.255.12.8/29’
option local_firewall ‘0’
option comp_mode ‘1’
option flush ‘1’
list remote_subnet ‘10.82.120.12/32’

config proposal ‘ODK_ph1_1’
option encryption_algorithm ‘aes256gcm16’
option hash_algorithm ‘sha512’
option dh_group ‘ecp384’

config proposal ‘ODK_ph2_1’
option encryption_algorithm ‘aes256gcm16’
option hash_algorithm ‘sha256’
option dh_group ‘ecp384’

flebourse · November 28, 2024, 7:51am

Set option mode to ‘start’ instead of ‘route’.
Or from the GUI Connection settings->General settings->Mode.

pumba2306 · November 28, 2024, 8:02am

It gives me the same result.
swanmon list-sas gives the same output.

flebourse · November 28, 2024, 8:16am

There is no option local_identifier nor remote_identifier specified in section config remote ‘ODK’.
Try a logread | grep ipsec maybe the logs will give some clue about the cause.