OpenWRT: Microsoft Azure to Cloudera CDH via VPN Gateway
Configuring StrongSwan on DD-WRT ( Partially working. Cannot ping Azure VPN's due to missing kernel modules. Can ping from Azure VPN to on-prem. )
Let's continue by configuring the local on-prem VPN Gateway. In this case, DD-WRT is being used as the public-facing router. This gives us some capabilities not typically available from your default router configuration GUI. To allow us the use of additional packages, an additional external USB storage was added earlier giving us roughly 4GB of additional space.
root@DD-WRT-INTERNET-ASUS:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 26.1M 26.1M 0 100% /
/dev/mtdblock/4 96.0M 2.4M 93.6M 2% /jffs
/dev/sda 3.8G 44.8M 3.5G 1% /opt
root@DD-WRT-INTERNET-ASUS:~#
The extra storage is added via Entware. The topic of configuring Entware is beyond the focus of this article and is environment-specific. Once you do, proceed to refresh the package list and install StrongSwan. StrongSwan allows the use of IKEv2 and IKE protocols. MS Azure only works with these protocols. OpenVPN is a competing VPN technology so despite running it here alongside StrongSwan, it won't be covered since it won't work with MS Azure.
root@DD-WRT-INTERNET-ASUS:/opt# opkg update
Downloading http://bin.entware.net/armv7sf-k3.2/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
root@DD-WRT-INTERNET-ASUS:/opt#
If the above doesn't work, check your firewall settings and your DNS resolution settings. DNS resolution was enabled and expected to work fine however the local firewall blocked all DNS resolutions. A few firewall rules were needed:
# ---------------------- # DNS - Allow CLI DNS Resolution on router. # ---------------------- iptables -A INPUT -s $(nvram get wan_ipaddr) -d $(nvram get lan_ipaddr) -p udp --dport 53 -j ACCEPT iptables -A INPUT -s $(nvram get wan_ipaddr) -d $(nvram get lan_ipaddr) -p tcp --dport 53 -j ACCEPT
Once the above works, proceed to install and configure the StrongSwan binaries and corresponding configuration files. There are quite a few packages so our installation will install all available StrongSwan packages:
root@DD-WRT-INTERNET-ASUS:~# opkg install $(opkg list *strongswan*|awk '{ print $1 }'|tr '\n' ' ')
Package strongswan (5.8.2-1) installed in root is up to date.
Package strongswan-charon (5.8.2-1) installed in root is up to date.
Package strongswan-ipsec (5.8.2-1) installed in root is up to date.
Package strongswan-libtls (5.8.2-1) installed in root is up to date.
Package strongswan-mod-addrblock (5.8.2-1) installed in root is up to date.
Package strongswan-mod-aes (5.8.2-1) installed in root is up to date.
Package strongswan-mod-af-alg (5.8.2-1) installed in root is up to date.
Package strongswan-mod-agent (5.8.2-1) installed in root is up to date.
Package strongswan-mod-attr (5.8.2-1) installed in root is up to date.
Package strongswan-mod-attr-sql (5.8.2-1) installed in root is up to date.
Package strongswan-mod-blowfish (5.8.2-1) installed in root is up to date.
Package strongswan-mod-ccm (5.8.2-1) installed in root is up to date.
Package strongswan-mod-cmac (5.8.2-1) installed in root is up to date.
Package strongswan-mod-constraints (5.8.2-1) installed in root is up to date.
Package strongswan-mod-coupling (5.8.2-1) installed in root is up to date.
Package strongswan-mod-ctr (5.8.2-1) installed in root is up to date.
Package strongswan-mod-curl (5.8.2-1) installed in root is up to date.
Package strongswan-mod-curve25519 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-des (5.8.2-1) installed in root is up to date.
Package strongswan-mod-dhcp (5.8.2-1) installed in root is up to date.
Package strongswan-mod-dnskey (5.8.2-1) installed in root is up to date.
Package strongswan-mod-duplicheck (5.8.2-1) installed in root is up to date.
Package strongswan-mod-eap-identity (5.8.2-1) installed in root is up to date.
Package strongswan-mod-eap-md5 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-eap-mschapv2 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-eap-radius (5.8.2-1) installed in root is up to date.
Package strongswan-mod-eap-tls (5.8.2-1) installed in root is up to date.
Package strongswan-mod-farp (5.8.2-1) installed in root is up to date.
Package strongswan-mod-fips-prf (5.8.2-1) installed in root is up to date.
Package strongswan-mod-gcm (5.8.2-1) installed in root is up to date.
Package strongswan-mod-gcrypt (5.8.2-1) installed in root is up to date.
Package strongswan-mod-gmp (5.8.2-1) installed in root is up to date.
Package strongswan-mod-gmpdh (5.8.2-1) installed in root is up to date.
Package strongswan-mod-ha (5.8.2-1) installed in root is up to date.
Package strongswan-mod-hmac (5.8.2-1) installed in root is up to date.
Package strongswan-mod-kernel-libipsec (5.8.2-1) installed in root is up to date.
Package strongswan-mod-kernel-netlink (5.8.2-1) installed in root is up to date.
Package strongswan-mod-ldap (5.8.2-1) installed in root is up to date.
Package strongswan-mod-led (5.8.2-1) installed in root is up to date.
Package strongswan-mod-load-tester (5.8.2-1) installed in root is up to date.
Package strongswan-mod-md4 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-md5 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-mysql (5.8.2-1) installed in root is up to date.
Package strongswan-mod-nonce (5.8.2-1) installed in root is up to date.
Package strongswan-mod-openssl (5.8.2-1) installed in root is up to date.
Package strongswan-mod-pem (5.8.2-1) installed in root is up to date.
Package strongswan-mod-pgp (5.8.2-1) installed in root is up to date.
Package strongswan-mod-pkcs1 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-pkcs11 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-pkcs12 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-pkcs7 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-pkcs8 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-pubkey (5.8.2-1) installed in root is up to date.
Package strongswan-mod-random (5.8.2-1) installed in root is up to date.
Package strongswan-mod-rc2 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-resolve (5.8.2-1) installed in root is up to date.
Package strongswan-mod-revocation (5.8.2-1) installed in root is up to date.
Package strongswan-mod-sha1 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-sha2 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-smp (5.8.2-1) installed in root is up to date.
Package strongswan-mod-socket-default (5.8.2-1) installed in root is up to date.
Package strongswan-mod-socket-dynamic (5.8.2-1) installed in root is up to date.
Package strongswan-mod-sql (5.8.2-1) installed in root is up to date.
Package strongswan-mod-sqlite (5.8.2-1) installed in root is up to date.
Package strongswan-mod-sshkey (5.8.2-1) installed in root is up to date.
Package strongswan-mod-stroke (5.8.2-1) installed in root is up to date.
Package strongswan-mod-test-vectors (5.8.2-1) installed in root is up to date.
Package strongswan-mod-unity (5.8.2-1) installed in root is up to date.
Package strongswan-mod-updown (5.8.2-1) installed in root is up to date.
Package strongswan-mod-vici (5.8.2-1) installed in root is up to date.
Package strongswan-mod-whitelist (5.8.2-1) installed in root is up to date.
Package strongswan-mod-x509 (5.8.2-1) installed in root is up to date.
Package strongswan-mod-xauth-eap (5.8.2-1) installed in root is up to date.
Package strongswan-mod-xauth-generic (5.8.2-1) installed in root is up to date.
Package strongswan-mod-xcbc (5.8.2-1) installed in root is up to date.
Package strongswan-pki (5.8.2-1) installed in root is up to date.
Package strongswan-scepclient (5.8.2-1) installed in root is up to date.
Package strongswan-swanctl (5.8.2-1) installed in root is up to date.
root@DD-WRT-INTERNET-ASUS:~#
Create the configuration file /opt/etc/ipsec.conf: Notice in our case we're mapping multiple subnets to further subnets. 10 VLAN's in total.
root@DD-WRT-INTERNET-ASUS:~# cat /opt/etc/ipsec.conf
# ipsec.conf – strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn AZURE
authby=secret
auto=start
type=tunnel
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
left=123.123.123.123 # IP address of your on-premises gateway
leftsubnets={ 192.168.0.0/24, 10.0.0.0/24, 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24, } # Network subnet located on-premises
#leftnexthop=%defaultroute
right=100.100.100.100 # Azure VPN gateway IP address
rightsubnets={ 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24, 192.168.1.0/24, } # Azure network subnet defined in cloud
ike=aes256-sha1-modp1024
esp=aes256-sha1
root@DD-WRT-INTERNET-ASUS:~#
Create the configuration file /opt/etc/strongswan.conf :
root@DD-WRT-INTERNET-ASUS:~# cat /opt/etc/strongswan.conf
# strongswan.conf – strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
charon {
path = /opt/tmp/charon.log
time_format = %b %e %T
append = no
default = 0 # in case troubleshoot is required switch this to 2
}
stderr {
ike = 0 # in case troubleshoot is required switch this to 2
knl = 0 # in case troubleshoot is required switch this to 3
ike_name = yes
}
}
syslog {
# enable logging to LOG_DAEMON, use defaults
daemon {
}
# minimalistic IKE auditing logging to LOG_AUTHPRIV
auth {
default = 0 # in case troubleshoot is required switch this to 2
ike = 0 # in case troubleshoot is required switch this to 2
}
}
}
include strongswan.d/*.conf
root@DD-WRT-INTERNET-ASUS:~#
Configure the private key between locations:
root@DD-WRT-INTERNET-ASUS:~# cat /opt/etc/ipsec.secrets
# /etc/ipsec.secrets – strongSwan IPsec secrets file
123.123.123.123 100.100.100.100 : PSK "<PRIVATE KEY / Ex>"
root@DD-WRT-INTERNET-ASUS:~#
A private key can really be anything. A passphrase or randomly generated string. In our case, I used the openssl utility to generate some random characters:
openssl genrsa -aes256 4096
Start StrongSwan:
root@DD-WRT-INTERNET-ASUS:~# ipsec start
/opt/etc/strongswan.conf:19: syntax error, unexpected ., expecting : or '{' or '=' [.]
invalid config file '/opt/etc/strongswan.conf'
abort initialization due to invalid configuration
Starting strongSwan 5.8.2 IPsec [starter]…
# unknown keyword 'leftsubnets'
# unknown keyword 'rightsubnets'
### 2 parsing errors (0 fatal) ###
root@DD-WRT-INTERNET-ASUS:~#
The above issue resulted in the use of:
/opt/tmp/charon.log {
time_format = %b %e %T
append = no
default = 0 # in case troubleshoot is required switch this to 2
}
instead of:
charon {
path = /opt/tmp/charon.log
time_format = %b %e %T
append = no
default = 0 # in case troubleshoot is required switch this to 2
}
Looking up the proper syntax on the StrongSwan pages, quickly revealed the issue.
root@DD-WRT-INTERNET-ASUS:~# ipsec start
Starting strongSwan 5.8.2 IPsec [starter]…
# unknown keyword 'leftsubnets'
# unknown keyword 'rightsubnets'
### 2 parsing errors (0 fatal) ###
root@DD-WRT-INTERNET-ASUS:~#
Check the above errors:
leftsubnet={ 192.168.0.0/24, 10.0.0.0/24, 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24, } # Network subnet located on-premises
rightsubnet={ 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24, 192.168.1.0/24, } # Azure network subnet defined in cloud
Check the connection status:
root@DD-WRT-INTERNET-ASUS:~# ipsec status
Security Associations (0 up, 1 connecting):
AZURE[1]: CONNECTING, 123.123.123.123[%any]…100.100.100.100[%any]
root@DD-WRT-INTERNET-ASUS:~#
Check port status:
root@DD-WRT-INTERNET-ASUS:~# netstat -pnltu
udp 0 0 0.0.0.0:4500 0.0.0.0:* 9858/charon
udp 0 0 0.0.0.0:500 0.0.0.0:* 9858/charon
Verify the Azure connection is established:
root@DD-WRT-INTERNET-ASUS:~# ipsec status
Security Associations (1 up, 0 connecting):
AZURE[1]: ESTABLISHED 15 seconds ago, 123.123.123.123[123.123.123.123]…100.100.100.100[100.100.100.100]
root@DD-WRT-INTERNET-ASUS:~#
Partially working connection example:
root@DD-WRT-INTERNET-ASUS:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.4, Linux 4.4.228, armv7l):
uptime: 9 seconds, since Aug 17 01:53:15 2020
malloc: sbrk 937984, mmap 0, used 444552, free 493432
worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default socket-dynamic farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
123.123.123.123
192.168.0.6
192.168.45.1
192.168.75.1
10.1.1.1
Connections:
azure-s2s: 123.123.123.123…100.100.100.100 IKEv2
azure-s2s: local: [123.123.123.123] uses pre-shared key authentication
azure-s2s: remote: [100.100.100.100] uses pre-shared key authentication
azure-s2s: child: 192.168.0.0/24 10.0.0.0/24 10.1.0.0/24 10.2.0.0/24 10.3.0.0/24 === 10.1.10.0/24 10.1.20.0/24 10.1.30.0/24 10.1.40.0/24 10.1.50.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
azure-s2s[1]: ESTABLISHED 9 seconds ago, 123.123.123.123[123.123.123.123]…100.100.100.100[100.100.100.100]
azure-s2s[1]: IKEv2 SPIs: 727910c74c97c4f7_i* 246b30808b655d4f_r, pre-shared key reauthentication in 7 hours
azure-s2s[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
root@DD-WRT-INTERNET-ASUS:~#
root@DD-WRT-INTERNET-ASUS:~#
root@DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep "100.100.100.100"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:52:46.939919 IP 100.100.100.100.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
01:52:46.942237 IP 123.123.123.123.500 > 100.100.100.100.500: isakmp: parent_sa ikev2_init[R]
01:53:15.542124 IP 123.123.123.123.500 > 100.100.100.100.500: isakmp: parent_sa ikev2_init[I]
01:53:15.788923 IP 100.100.100.100.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[R]
01:53:15.815089 IP 123.123.123.123.4500 > 100.100.100.100.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
01:53:15.885460 IP 100.100.100.100.4500 > 123.123.123.123.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
01:53:15.897198 IP 123.123.123.123.4500 > 100.100.100.100.4500: NONESP-encap: isakmp: child_sa inf2[I]
01:53:16.033531 IP 100.100.100.100.4500 > 123.123.123.123.4500: NONESP-encap: isakmp: child_sa inf2[R]
01:53:29.896597 IP 100.100.100.100.4500 > 123.123.123.123.4500: NONESP-encap: isakmp: parent_sa inf2
01:53:29.898312 IP 123.123.123.123.4500 > 100.100.100.100.4500: NONESP-encap: isakmp: parent_sa inf2[IR]
01:53:43.911332 IP 100.100.100.100.4500 > 123.123.123.123.4500: NONESP-encap: isakmp: child_sa inf2
01:53:43.912866 IP 123.123.123.123.4500 > 100.100.100.100.4500: NONESP-encap: isakmp: child_sa inf2[IR]
01:53:46.752478 IP 123.123.123.123.4500 > 100.100.100.100.4500: NONESP-encap: isakmp: child_sa inf2[I]
01:53:46.804053 IP 100.100.100.100.4500 > 123.123.123.123.4500: NONESP-encap: isakmp: child_sa inf2[R]
01:53:46.804216 IP 123.123.123.123 > 100.100.100.100: ICMP 123.123.123.123 udp port 4500 unreachable, length 116
The reason why the above was not working is because the DD-WRT software didn't have kernel modules loaded. Was not precompiled with necessary kernel modules to create proper connectivity out. The kernel modules required by StrongSwan are listed on the following StrongSwan Kernel Modules page.
Threads I've posted that deal with this include:
OpenWRT: Pestering the forums for some kernel modules (grasping at straws here):
https://forum.openwrt.org/t/dd-wrt-strongswan-ipsec-w-xfrm/67835
DD-WRT: Created a thread to try and get proper kernel support for modules I need. Failed to get anything:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325479&postdays=0&postorder=asc&start=0&sid=ec3614842ab2e85093510184ae76bc90
DD-WRT: Attempted to recompile the DD-WRT kernel. Failed miserably:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=269372&postdays=0&postorder=asc&start=255
DD-WRT: Shameless bragging about the capabilities of my router.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1208923
