[Success] OpenWrt 12.09 + StrongSwan 5.0.0 + iOS , Android

1. root@OpenWrt:/tmp# uname -a
2. Linux OpenWrt 3.3.8 #1 Sat Mar 23 16:01:31 UTC 2013 mips GNU/Linux
3.  
4.  
5. root@OpenWrt:/tmp# opkg list-installed strongswan\*
6.  
7. strongswan - 5.0.0-1
8. strongswan-charon - 5.0.0-1
9. strongswan-default - 5.0.0-1
10. strongswan-mod-aes - 5.0.0-1
11. strongswan-mod-af-alg - 5.0.0-1
12. strongswan-mod-attr - 5.0.0-1
13. strongswan-mod-blowfish - 5.0.0-1
14. strongswan-mod-constraints - 5.0.0-1
15. strongswan-mod-des - 5.0.0-1
16. strongswan-mod-dhcp - 5.0.0-1
17. strongswan-mod-dnskey - 5.0.0-1
18. strongswan-mod-eap-identity - 5.0.0-1
19. strongswan-mod-eap-md5 - 5.0.0-1
20. strongswan-mod-eap-mschapv2 - 5.0.0-1
21. strongswan-mod-farp - 5.0.0-1
22. strongswan-mod-fips-prf - 5.0.0-1
23. strongswan-mod-gcrypt - 5.0.0-1
24. strongswan-mod-gmp - 5.0.0-1
25. strongswan-mod-hmac - 5.0.0-1
26. strongswan-mod-kernel-netlink - 5.0.0-1
27. strongswan-mod-md4 - 5.0.0-1
28. strongswan-mod-md5 - 5.0.0-1
29. strongswan-mod-nonce - 5.0.0-1
30. strongswan-mod-openssl - 5.0.0-1
31. strongswan-mod-pem - 5.0.0-1
32. strongswan-mod-pgp - 5.0.0-1
33. strongswan-mod-pkcs1 - 5.0.0-1
34. strongswan-mod-pkcs11 - 5.0.0-1
35. strongswan-mod-pkcs8 - 5.0.0-1
36. strongswan-mod-pubkey - 5.0.0-1
37. strongswan-mod-random - 5.0.0-1
38. strongswan-mod-resolve - 5.0.0-1
39. strongswan-mod-revocation - 5.0.0-1
40. strongswan-mod-sha1 - 5.0.0-1
41. strongswan-mod-sha2 - 5.0.0-1
42. strongswan-mod-socket-default - 5.0.0-1
43. strongswan-mod-stroke - 5.0.0-1
44. strongswan-mod-test-vectors - 5.0.0-1
45. strongswan-mod-updown - 5.0.0-1
46. strongswan-mod-x509 - 5.0.0-1
47. strongswan-mod-xauth-eap - 5.0.0-1
48. strongswan-mod-xauth-generic - 5.0.0-1
49. strongswan-mod-xcbc - 5.0.0-1
50. strongswan-utils - 5.0.0-1
51.  
52. root@OpenWrt:/tmp# ipsec statusall
53. Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
54.   uptime: 107 minutes, since Nov 04 23:22:17 2013
55.   malloc: sbrk 258048, mmap 0, used 161256, free 96792
56.   worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0, scheduled: 8
57.   loaded plugins: charon test-vectors pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp
58. Virtual IP pools (size/online/offline):
59.   android: 1/0/1
60.   iOS: 1/0/1
61.   Windows: 1/0/1
62. Listening IP addresses:
63.   10.2.2.2
64.   192.168.1.1
65. Connections:
66.      android:  %any...%any  IKEv2
67.      android:   local:  [C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp] uses public key authentication
68.      android:    cert:  "C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp"
69.      android:   remote: [C=JP, O=Test Android Phone, CN=Test Android Client Cert] uses public key authentication
70.      android:    cert:  "C=JP, O=Test Android Phone, CN=Test Android Client Cert"
71.      android:    crl:   status must be GOOD or SKIPPED
72.      android:   remote: [%any] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
73.      android:   child:  0.0.0.0/0 === dynamic TUNNEL
74.          iOS:  %any...%any  IKEv1
75.          iOS:   local:  [C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp] uses public key authentication
76.          iOS:    cert:  "C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp"
77.          iOS:   remote: [C=JP, O=Test iPhone, CN=My iPhone Client Cert] uses public key authentication
78.          iOS:    cert:  "C=JP, O=Test iPhone, CN=My iPhone Client Cert"
79.          iOS:    crl:   status must be GOOD or SKIPPED
80.          iOS:   remote: [%any] uses XAuth authentication: any
81.          iOS:   child:  0.0.0.0/0 === dynamic TUNNEL
82.      Windows:  %any...%any  IKEv2
83.      Windows:   local:  [C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp] uses public key authentication
84.      Windows:    cert:  "C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp"
85.      Windows:   remote: [C=JP, O=Test Windows PC, CN=Test Windows Client Cert] uses public key authentication
86.      Windows:    cert:  "C=JP, O=Test Windows PC, CN=Test Windows Client Cert"
87.      Windows:    crl:   status must be GOOD or SKIPPED
88.      Windows:   child:  0.0.0.0/0 === dynamic TUNNEL
89. Security Associations (0 up, 0 connecting):
90.   none
91.  
92. root@OpenWrt:/tmp# cat /etc/ipsec.conf
93. # ipsec.conf - strongSwan IPsec configuration file
94.  
95. # basic configuration
96.  
97. config setup
98.         # plutodebug=all
99.         # crlcheckinterval=600
100.         # strictcrlpolicy=yes
101.         strictcrlpolicy=ifuri
102.         # cachecrls=yes
103.         # nat_traversal=yes
104.         # charonstart=no
105.         # plutostart=no
106.  
107. ca myca
108.         cacert=OpenWrt02caCert.pem
109.         auto=add
110.  
111. # Add connections here.
112.  
113. conn %default
114.         left=%any
115.         leftsubnet=0.0.0.0/0
116.         leftcert=OpenWrtserverCert.pem
117.  #       rightsourceip=%dhcp
118.         leftfirewall=yes
119.         leftsourceip=192.168.1.1
120.         ike=aes256-sha1-modp1024!
121.         esp=aes256-sha1!
122.         compress=yes
123.  
124. conn  android
125.        keyexchange=ikev2
126.        leftauth=pubkey
127.         right=%any
128.         rightsourceip=192.168.1.21
129.        rightauth=pubkey
130.         rightauth2=eap-mschapv2
131.         rightcert=androidCert.pem
132.         eap_identity=%any
133.         auto=add
134.  
135. conn iOS
136.         keyexchange=ikev1
137.         authby=xauthrsasig
138.         xauth=server
139.         rightcert=iPhoneCert.pem
140.         forceencaps=yes
141.         auto=add
142.         rightsourceip=192.168.1.22
143.  
144. conn Windows
145.         keyexchange=ikev2
146.         rightsourceip=192.168.1.23
147.         auto=add
148.         rightcert=WindowsCert.pem
149.  
150. root@OpenWrt:/tmp# cat /etc/strongswan.conf
151. # strongswan.conf - strongSwan configuration file
152.  
153. charon {
154.  
155.         # number of worker threads in charon
156.         threads = 16
157.  
158.         # send strongswan vendor ID?
159.         # send_vendor_id = yes
160.  
161.         plugins {
162.  
163.                 sql {
164.                         # loglevel to log into sql database
165.                         loglevel = -1
166.  
167.                         # URI to the database
168.                         # database = sqlite:///path/to/file.db
169.                         # database = mysql://user:password@localhost/database
170.                 }
171.         }
172.  
173.         # ...
174. }
175.  
176. pluto {
177.  
178. }
179.  
180. libstrongswan {
181.  
182.         #  set to no, the DH exponent size is optimized
183.         #  dh_exponent_ansi_x9_42 = no
184.  
185.         # integrity_test = yes
186.         crypto_test {
187.                 on_add = yes
188.         }
189. }
190.  
191. root@OpenWrt02:/tmp# cat /etc/ipsec.secrets
192. # /etc/ipsec.secrets - strongSwan IPsec secrets file
193.  
194. : RSA OpenWrtserverKey.pem
195.  
196. android : EAP "hogehoge"
197. iPhone : XAUTH "hogehoge"