I'm writing this in the hopes that it will assist someone else, or just as a reminder to me down the road.
I have been fiddling around the last four days trying to get a site-to-site VPN setup between my home network and another family members home. I convinced them to upgrade their router to a DD-WRT based router about three years ago before I really knew about Ubiquiti hardware. Upgrading the to an EdgeRouter-Lite, while likely to simplify things and still a possibility in the near future, would have taken me longer than using a Raspberry Pi I had lying around.
IPSec is something that I have had zero experience with up until now, and I wanted to learn something new. While I have never setup OpenVPN in a site-to-site configuration, I have used it in the pass as a client-server setup on my EdgeRouter.
Here is the hardware on each side:
Home
Ubiquiti EdgeRouter ER-8
Cable Internet 120/20
Family
Buffalo Airstation AC1750
Cable Internet 60/20
Raspberry Pi running Rasbian Jessie Lite
Network Topology
EdgeRouter ---- Internet ---- AC1750 ---- RPi
10.10.1.1 10.0.1.1 10.0.1.10
EdgeRouter Setup
Setting up the EdgeRouter was rather simple. Filled in the following under VPN | IPSec Site-to-Site:
Peer: 0.0.0.0
Description: House-to-House
Local IP: any
Pre-shared secret: MyPassword
Local Subnet: 10.10.1.0/24
Remote Subnet: 172.20.10.0/28
Setting up the Raspberry Pi
I loaded a fresh image of Raspbian Jessie Lite (2016-09-23). I then updated and installed strongswan.
sudo apt-get update sudo apt-get upgrade sudo apt-get install -t jessie strongswan sudo apt-get install -t jessie libcharon-extra-plugins
Next step is to edit the /etc/ipsec.conf file so that the following are the only uncommented lines:
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=28800s
keylife=3600s
rekeymargin=540s
keyingtries=%forever
authby=secret
keyexchange=ikev1
compress=no
conn House-To-House
left=172.20.10.3
leftsubnet=172.20.10.0/28
rightid=%any
rightallowany=yes
right=www.myhouse.ca
rightsubnet=10.10.1.0/24
auto=start
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!Note: If you intend on using a fully qualified domain name in place of an IP address for either left or right, you need to have the corresponding rightid or leftid set to %any, otherwise it will generate errors. I use FQDN's for both sides, but have left it like this to assist with those setting up a network with simple IP addresses.
Now, add the following to your /etc/ipsec.secrets file
172.20.10.3 www.myhouse.ca : PSK "MyPassword"
Enable packet forwarding by uncommenting the following line in /etc/sysctl.conf:
net.ipv4.ip_forward=1
Either reboot the system or run the following command to update the packet forwarding setting now:
sudo sysctl -w net.ipv4.ip_forward=1
Everything should now be ready to go. Run the following to reload the configuration files, bring up the tunnel and check the status of the connection:
sudo ipsec reload sudo ipsec up House-To-House sudo ipsec statusall
The final command should have a Security Associations section. If you see (1 up, 0 connecting) then you've got a successful tunnel from the Raspberry Pi to the EdgeRouter!
While I am limited by the 20 Mbit/s upload speed on both connections, I was able to saturate the link transferring files through the tunnel using scp. This will more than accomodate my use case.
Some notes on debugging:
Peer: 0.0.0.0 or any
While the houses are close together geographically, it was still a 20 minute drive between them, and as such driving back and forth to test different setups was not feasible. I tethered a Raspberry Pi to my cell phone in order to test on two separate networks from a single location. Everything I had read indicated to put any in the peer box to allow for a dynamic or unknown address. I just came across a UBNT member that had posted that 1.9.0 fixed a big which allowed any in the past, and it should actually be 0.0.0.0 which cleared up my issue of INVALID_KE_PAYLOAD.
Diagnosing Errors
/var/log/syslog on the Raspberry Pi was not very descriptive when errors arose. I was much more successful with an ssh session into the EdgeRouter and running sudo swanctl -log
Testing Connections
Initially I was trying to get everything up and running locally. I had simulated the family home network that would be the opposite endpoint by replicating the subnet and DHCP server on a separate EdgeRouter interface. This got me nowhere as the IPSec system reacts completely differently to internal connections as it does to external connection attempts. If you don't have enough hardware to replicate two external and separate networks, tethering the Raspberry Pi endpoint to your phone is the cheapest/easiest solution.