Request to add Openswan Package to support IPsec

[jumran]

Is it possible to add an IPsec Server feature to DD-WRT using Openswan Package or any other method? There seems to be OpenWrt? support in place already for Openswan so should be easy to port. If there is file size restrictions, this can be added to only mega builds or as an alternate version for higher capacity flash routers such as Asus RT-N16. It could also be added as an special version in place of OpenVpn?.

​http://www.openswan.org/ http://www.dd-wrt.com/wiki/index.php/OpenSwan

[Sash]

no, it will NEVER erase OpenVPN. OpenVPN has so much ease of use and so much stability unter almost every condition that it IS the defacto DD-WRT way of VPN. *swans are big and ugly and will never reach any DD-WRT release i think. on chance would be the ipsec-tools which are optimized for small devices but the ip"Sec" standard (which isnt really a standard. instead its a collection of many tools,protocols,etc.) has to much flavours and needs to much babysitting to get it running on most cases that the dev´s dont wanna start integration atm.

[jumran]

IPSec offers better Client compatibility and has some other benefits over Open Vpn. Why not let the end user decide if they want a build with Open Vpn or IpSec?

[BrainSlayer]

ipsec is simply incompatible to anything. ipsec needs deep system kernel changes. there are various non interoperable protocol variants. its simply incompatible to anything. openvpn will always work with openvpn. no matter which version is installed on each side. ipsec is no option for secure networks since it has too much breakpoints and its also not working good on low memory consumer end devices, since the requires kernel patches are very big and memory consuming as well as openswan itself

[ddwrtchris]

Hi,

IPSec offers better Client compatibility

All my tests in the past with ipsec convinced me that i was right to use openvpn.

The server side i.e. for windows is a pain in the butt. I don't really think, that ipsec + l2tp is sth somebody really needs.

and has some other benefits over OpenVpn?

Convince me with details please.

Ciao Chris

[zanfur]

Chris:

I think your information is about 8 years out of date. The patches used to be huge and unwieldly; now no patches are required whatsoever. It was put into the vanilla linux kernel in 2.5.47, in 2002. You can't easily use it in the old 2.4 images, but in the 2.6 images it's really dead simple.

You asked for info on the benefits over OpenVPN.

OpenVPN is *not* natively supported by:

• Windows
• MacOS
• mainstream linux distributions (RedHat?/CentOS/Debian/Ubuntu/SuSE/Slackware...)
• iPhone/iPad
• Android
• cisco
• AWS virtual private clouds

Windows, MacOS, and mainstream linux distributions have OpenVPN clients, but the rest just simply can't use OpenVPN without serious warranty-voiding hackery, if at all.

IPSec (specifically IKEv2/L2TP) is natively supported by all of the above. It's also a mandatory part of IPv6 implementations, so you will only see the list of natively suppoerted devices grow.

Additionally, with IPSec you get policy encryption: instead of "maintaining tunnels", the ipsec traffic is just routed normally, and each side knows what to do when an encrypted packet arrives, meaning you can set up site-to-site tunnels where there is no server and there is no client, just matching policies that are used when requested. OpenVPN does not have this functionality: One side must be listening for connections, and the other side must reach out and connect. Also, it is impossible to make OpenVPN "automatically connect when required" without subtantial hackery with iptables ULOG and a watching daemon or similar setup, but you get it "for free" with the linux policy-based IPSec implementation that just invokes the tunnel renegotiation if necessary upon needing to route a packet there. Even more, it scales to multiple tunnels much better than OpenVPN, as each packet is processed by the same policy-match algorithm, instead of requiring a separate daemon (or very least tun device) for each static tunnel.

Looking in the other direction, IPSec (once again, specifically IKEv2/L2TP) can literally achieve everything that OpenVPN can achieve. PSK or PKI authentication, routed or bridged, rotating or static secrets, autonegotiation of best possible security, modular crypto plugins, everything.

The best part of IPSec on DD-WRT is that the only thing DD-WRT needs to do in order to allow Optware packages to provide the entirety of the functionality is to add the following line to the relevant linux/*/.config_std:

CONFIG_XFRM=y

The rest may be compiled as modules and included with optware packages. In fact, the existing strongswan ipkg attempts to load the relevant modules already.

I have personally added IPSec kernel support to the Shibby_097 build of TomatoUSB, *including* all relevant modules, and it increased the image size 57653 bytes. DD-WRT uses the same kernel, so I expect it would be the same. Doing the bare minimum as specified above added only 8469 bytes. I'm in the middle of attempting to set up a build environment for DD-WRT to do the same and submit a patch. I'm using the existing strongswan package, which takes up 1.51m on my jffs2 partition.

In short:

• Enabling others to add support for you will add 8.3k to the image
• Adding full kernel support yourself will add 56.3k to the image
• Adding full binary support to the image will add 1.57m

The time-consuming part would be coming up with a gui for it, but I think most people wanting IPSec would be quite happy to just create startup scripts at first. If you're at all interested in allowing it to happen, I'll gladly share my work so it can be distributed to others.

[beren]

I would also like to voice my support for the modules to be built, even as a separate package in optware. With the latest defcon tools, cracking pptpd is even more trivial than it was before. See ​http://www.techworld.com.au/article/432039/tools_released_defcon_can_crack_widely_used_pptp_encryption_under_day for info. Even Microsoft is saying to avoid pptpd ​http://www.computerworld.com/s/article/9230448/Microsoft_warns_of_man_in_the_middle_VPN_password_hack . From the looks of that news, we should really dump pptpd as a default vpn and add some form of strongswan/l2tp option. That combo with openvpn should allow pretty much any recent device to connect to it and still be reasonably secure.