Thursday, October 21, 2010

IPSec VPN with AVM 7170 / 7270 and linux (Ubuntu) OpenSwan and Dnydns

With the current Firmware the AVM ADSL routers 7170 and 7270 support creating IPSec VPN's.
That makes them interesting for connecting remote offices, small point of sales etc. to the enterprise network, also when the remotes don't have a fixed IP address.

Unfortunately the documentation of the IPSEC stuff from AVM is "very limited".

TO get it working it's important to configure the correct settings in the VPN configuration file for the AVM routers.

The wizard for creating the VPN config files generates something like this:

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "IP_OF_ENTERPRISE";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "remote.dyndns.org";
localid {
ipaddr = IP_OF_ENTERPRISE;
}
remoteid {
fqdn = "remote.dyndns.org";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "**********";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 172.18.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 172.18.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}


To be able to connect to a openswan/linux server, we have to twea some settings:


vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "IP_OF_ENTERPRISE";
always_renew = yes; // Make sure the connections autostarts
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "remote.dyndns.org";
localid {
ipaddr = IP_OF_ENTERPRISE;
}
remoteid {
fqdn = "remote.dnydns.org";
}
mode = phase1_mode_idp; // Change this from aggressive to normal mode
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "**********";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 172.18.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // this is the compatible setting for openswan
accesslist = "permit ip any 172.18.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}


In the avm documentation you see the possible combinations of phase1ss and phase2ss. It is important to know, that ONLY the listed combinations work. So you can't use other non-listed combinations. (Took me a whole day to figure out)

On the openswan side you have to define a connection like this:


# VPN connection for remote.dyndns.org
conn remotedyndnsorg
right=remote.dyndns.org
rightid=@remote.dyndns.org
rightsubnet=172.18.1.0/24
left=IP_OF_ENTERPRISE
leftsubnet=192.168.10.0/24
auth=esp
pfs=yes
authby=secret
dpddelay = 20
dpdtimeout = 60
dpdaction=hold
auto=start
keyingtries = %forever
keylife=45m
rekey=yes
ikelifetime=20m
compress=no


and of course in the ipsec.secrets you have to add the PSK

Currently we have a problem, that when the fritz boxes receive a new public IP,
the openswan does not always update the IP address for the connection.
This can be partially solved by upgrading to a more recent openswan version (2.3.16 or newer), which does a dns resolve when the vpn tunnel breaks.
But sometimes it still hangs in a state where it receives IPsec packets and drops them because they do not match the old resolved ip.