How to manually deploy IKEv1 with PSK and Xauth VPN using strongSwan on OpenWrt

Posted on In Views: Word count in article: 7.6k Reading time ≈ 7 mins.

Why IPSec/IKEv1 PSK + Xauth instead of IPSec/IKEv2 PSK

In built in vpn settings, after I choose IPSec/IKEv2 PSK, it asks me to input identifier, username and password mandatorily, which I did not know how to set in strongSwan. Though IPSec/IKEv1 PSK + Xauth VPN has lower security which could be brute-force attack offline, I believe using a 64 digital strong password is safe enough for me.

Manual IPSec VPN Deployment Guide

Based on luci-app-ipsec-vpnd source code analysis, this guide shows how to manually deploy IKEv1 with PSK and Xauth VPN using strongSwan on OpenWrt. This configuration replicates the exact functionality of luci-app-ipsec-vpnd without requiring the LuCI interface, making it compatible with official OpenWrt installations.

Step 1: Install Required Packages

1
2
3
opkg update
# For OpenWrt 24.10 compatibility - use libipsec for ipsec0 interface creation
opkg install strongswan-full strongswan-mod-xauth-generic strongswan-mod-kernel-libipsec kmod-tun

Step 2: Fix strongSwan UCI Plugin Issue

IMPORTANT: OpenWrt’s strongSwan uses a UCI plugin by default, but it often fails to load. We need to disable it first:

1
2
# Disable the broken UCI plugin
sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/uci.conf

Step 3: Configure /etc/ipsec.conf

Create the main IPSec configuration file with vpn0 interface binding:

1
vim /etc/ipsec.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# ipsec.conf - strongSwan IPsec configuration file

config setup
    strictcrlpolicy=no
    uniqueids=never

# IKEv1 PSK + Xauth connection with vpn0 interface binding
conn roadwarrior
    keyexchange=ikev1
    ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024
    esp=aes128-sha1,3des-sha1
    left=%defaultroute
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightauth2=xauth
    rightsourceip=10.10.10.100-10.10.10.200
    rightdns=192.168.5.1
    # No updown script needed - kernel-libipsec creates ipsec0 automatically
    auto=add

Step 4: Configure /etc/ipsec.secrets

Set up authentication credentials:

1
vim /etc/ipsec.secrets
1
2
3
4
5
6
7
# /etc/ipsec.secrets - strongSwan IPsec secrets file

# Pre-shared key for all connections
: PSK "your_preshared_key_here"

# Xauth user credentials (username : XAUTH "password")
vpnuser : XAUTH "your_password_here"

Step 5: Configure strongSwan daemon (/etc/strongswan.conf)

1
vim /etc/strongswan.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# strongswan.conf - strongSwan configuration file

charon {
    load_modular = yes
    install_routes = no
    install_virtual_ip = yes
    
    plugins {
        # Use libipsec for ipsec0 interface creation (required for LuCI monitoring)
        kernel-libipsec {
            load = yes
        }
        kernel-netlink {
            load = no
        }
        include /etc/strongswan.d/charon/*.conf
    }
    
    syslog {
        identifier = ipsec
        daemon {
            default = 0
        }
        auth {
            default = 0
        }
    }
}

include /etc/strongswan.d/*.conf

Step 6: Enable IP Forwarding

1
2
3
4
5
6
# Enable IP forwarding
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p

# Enable proxy ARP (required for VPN client routing)
echo 1 > /proc/sys/net/ipv4/conf/br-lan/proxy_arp

Step 7: Start and Test strongSwan Service

CRITICAL: You must completely stop any existing strongSwan processes first:

1
2
3
4
5
6
7
8
9
10
11
12
13
# Stop strongSwan completely
/etc/init.d/ipsec stop
killall -9 charon starter 2>/dev/null
rm -f /var/run/charon.pid /var/run/starter.charon.pid

# Start strongSwan fresh
/etc/init.d/ipsec start
# Enable on boot
/etc/init.d/ipsec enable
# wait 5 seconds
sleep 5
# Verify connection is loaded
ipsec statusall | grep -A 10 "Connections:"

Expected output should show:

1
2
3
4
5
Connections:
 roadwarrior:  %any...%any  IKEv1
 roadwarrior:   local:  uses pre-shared key authentication
 roadwarrior:   remote: uses pre-shared key authentication
 roadwarrior:   remote: uses XAuth authentication: any

Step 8: Configure VPN Interface for LuCI Monitoring

The kernel-libipsec module automatically creates ipsec0 interface when VPN connections are established. Configure the network interface for LuCI monitoring:

1
2
# Edit network configuration
vim /etc/config/network

Add the VPN interface configuration to /etc/config/network:

1
2
3
4
5
6
# VPN interface configuration - manually created ipsec0 for monitoring
config interface 'VPN'
    option device 'ipsec0'
    option proto 'static'
    option ipaddr '10.10.10.1'
    option netmask '255.255.255.0'

Apply the network configuration:

1
2
# Reload network configuration
/etc/init.d/network reload

Step 9: Configure Firewall for VPN Traffic (Based on Official Implementation)

Edit the firewall configuration (based on official luci-app-ipsec-vpnd):

1
2
# Edit firewall configuration with vim
vim /etc/config/firewall

Add the following sections to your firewall config (following official implementation):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# IPSec protocol rules (IKE)
config rule
    option name 'ike'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'udp'
    option dest_port '500'

# IPSec NAT-T rule
config rule
    option name 'ipsec'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'udp'
    option dest_port '4500'

# Authentication Header protocol
config rule
    option name 'ah'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'ah'

# Encapsulating Security Payload protocol  
config rule
    option name 'esp'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'esp'

# VPN zone configuration (matches official implementation)
config zone
    option name 'VPN'
    option input 'ACCEPT'
    option forward 'ACCEPT' 
    option output 'ACCEPT'
    option network 'VPN'
    list device 'ipsec0'

# VPN to WAN forwarding (for internet access)
config forwarding
    option name 'vpn'
    option dest 'wan'
    option src 'VPN'

# VPN to LAN forwarding (for accessing LAN devices like RDP)
config forwarding
    option name 'vpn_to_lan'
    option dest 'lan'
    option src 'VPN'

After editing, save and exit vim (:wq), then apply all configuration changes:

1
2
3
4
5
6
7
8
# Reload firewall
/etc/init.d/firewall restart

# Restart strongSwan with new configuration
/etc/init.d/ipsec stop
killall -9 charon starter 2>/dev/null
rm -f /var/run/charon.pid /var/run/starter.charon.pid
/etc/init.d/ipsec start

Key Parameters to Customize

Based on the source code analysis:

  1. Client IP Range: Uses rightsourceip=10.10.10.100-10.10.10.200 (separate VPN subnet)
  2. DNS Server: Set to rightdns=192.168.5.1 (VPN gateway as DNS)
  3. Pre-shared Key: Modify in /etc/ipsec.secrets
  4. Username/Password: Add users in /etc/ipsec.secrets

Client Configuration

For iOS/Android native clients, use these settings:

  • Server: Your router’s public IP (e.g., 1.2.3.4)
  • Account: vpnuser (from ipsec.secrets)
  • Password: your_password_here (from ipsec.secrets)
  • PSK: your_preshared_key_here (your PSK from ipsec.secrets)

Expected behavior:

  • ✅ VPN connects successfully
  • ✅ Can access internal LAN devices (e.g., 192.168.5.x)
  • ✅ Can access internet sites
  • ✅ VPN traffic visible in LuCI interface statistics
  • ✅ ipsec0 interface shows automatically in Network > Interfaces with bandwidth graphs

Source Code Reference

This configuration is extracted from:

  • Package: luci-app-ipsec-vpnd
  • Location: /feeds/luci/applications/luci-app-ipsec-vpnd/
  • Key files analyzed:
    • root/etc/init.d/ipsec-vpnd (lines 382-412: ipsec.conf generation)
    • root/etc/init.d/ipsec-vpnd (lines 408-412: ipsec.secrets generation)
    • root/etc/config/ipsec-vpnd (default configuration values)
    • htdocs/luci-static/resources/view/ipsec-vpnd.js (web interface parameters)

Dependencies

For OpenWrt 24.10:

  • strongswan-full - Full strongSwan package (replaces separate minimal packages)
  • strongswan-mod-xauth-generic - Xauth authentication module
  • strongswan-mod-kernel-libipsec - Kernel libipsec interface (creates ipsec0 for monitoring)
  • kmod-tun - TUN kernel module

OpenWrt 24.10 Specific Changes

  • Uses strongswan-full instead of separate packages
  • Disables broken UCI plugin that prevents configuration loading
  • Uses libipsec kernel interface to create ipsec0 for LuCI monitoring
  • Separate VPN subnet (10.10.10.0/24) for better network isolation
  • Enhanced firewall rules with explicit family settings and NAT

Security Notes

  • Use strong passwords (minimum 20 characters)