Setting up IKEv2 with strongSwan on OpenWrt 15.05.1

I have been using OpenVPN on my OpenWrt router for remote access. OpenVPN is a SSLVPN solution similar to Anyconnect from Cisco. IPsec is a IETF standard for providing network layer security. The support of IPsec is builtin to recent Linux kernel. However, the kernel needs the encryption key before setting up IPsec. You can manually create IPsec tunnels with a preshared key, but this approach does not support mobile clients which have dynamic IP addresses.

The Internet Key Exchange protocol is aimed at negotiating security parameters before setting up an IPsec tunnel. Usually, an IKE daemon listens on UDP/500 for requests and then does several rounds of exchanges with the remote client and then send negotiated parameters to the Linux kernel and thus sets up an IPsec tunnel.

IKEv2 is the latest one which is much easier to deploy than its predecessor IKEv1. StrongSwan is an IKE daemon with full support of IKEv2. To install strongSwan on OpenWrt, you need install strongswan-minimal package. You also need to install strongswan-mod-openssl in order to use pubkey authentication.

There are several configuration files:

/etc/ipsec.conf contains information of IPsec tunnels.
/etc/strongswan.conf contains configuration for strongswan.
/etc/ipsec.secrets contains various credentials of IPsec tunnels.


The following is all needed to setup a tunnel with PSK. PSK is not so safe as public key, especially if the PSK is very weak.

in /etc/ipsec.conf:

conn mytunnel
left=%any
 leftsubnet=10.1.0.0/16
leftid=home
leftfirewall=yes
right=IP_OF_THE_PEER
 rightsubnet=10.2.0.0/16
rightid=moon
auto=add
mobike=no
authby=psk

in /etc/ipsec.secrets:

moon : PSK YOUR_PSK_FOR_TUNNEL

use `ipsec up mytunnel` to establish the tunnel and `ipsec statusall` to check tunnel status.

Configuring Raspberry Pi 3 via Serial Console

I got several RPi 3 recently. I tried to set them up via the UART console as I did with RPi 2. But I could not see anything on my computer. After googling around, I found that the serial console is disabled by default. So I added enable_uart=1 to /boot/config.txt. And then I could see login prompt on my computer.
As RPi 3 has a builtin WiFi module, I can connect it to my wireless router and access it via SSH. If the network is secured with WPA2-PSK, just add the following to /etc/wpa_supplicant/wpa_supplicant.conf.

network={
    ssid="your_ssid"
    psk="your_password"
}

If your wireless network is open, add the following.

network={
    ssid="your_ssid"
    key_mgmt=NONE
}

and run sudo ifdown wlan0 and then sudo ifup wlan0. You can test the connection with ifconfig, pingand iwconfig.

Adding an Intel Wireless-AC 7260 Card on ThinkPad T420s

I bought an Intel 7260AC card from jd.com yesterday in order to replace the 6205 card on my T420s and enjoy the speed of 11ac. The card arrived this morning. The card is not specially made for ThinkPads.

As all ThinkPad's BIOS is equipped with a whitelist of authorized wirless cards. I need to flash a BIOS with whitelist removed. I found one made by TimeWalker75a on bios-mods.com. Here is the link. Apart from removing the whitelist, the modified BIOS also unlocks RAM clock speed and some advanced settings. But before flashing the modified BIOS, you need to flash the original 1.41 BIOS offered by Lenovo.

Then, I removed the battries and the shield above the RAM modules and saw the 6205 mini-PCI-E wireless card. I unplugged the two antenna cables, loosed the screw and removed the old card. And then installed the new 7260 card and plugged the cables. The gray cable should be connected to the main port while the black one should be connected to the aux port.

I plugged in the power cord and turn it on. Fedora identified the new card successfully, and the hardware wireless switch worked flawlessly. But all WiFi history is lost. This 7260AC card also contains a Bluetooth 4.0 module, and the laptop also has a embedded Bluetooth module(BCM2045B) from Broadcom, I can see both of them by running hciconfig. Removing BCM2045B needs opening the palm rest. I found a way to blacklist it with udev at here.

Update:

Do not remove the embedded BCM2045B module, or the BIOS will disable Bluetooth even if there is one module in 7260.