Add ipsec support

luci-app-ipsec-vpnd/Makefile

@@ -0,0 +1,19 @@
+# Copyright (C) 2016 Openwrt.org
+#
+# This is free software, licensed under the Apache License, Version 2.0 .
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=LuCI support for IPSec VPN Server
+LUCI_DEPENDS:=+strongswan +strongswan-minimal +strongswan-mod-xauth-generic +iptables-mod-filter +iptables-mod-nat-extra
+LUCI_PKGARCH:=all
+PKG_NAME:=luci-app-ipsec-vpnd
+PKG_VERSION:=1.0
+PKG_RELEASE:=7
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
+
+

luci-app-ipsec-vpnd/README.md

@@ -0,0 +1 @@
+# luci-app-ipsec-vpnd

luci-app-ipsec-vpnd/luasrc/controller/ipsec-server.lua

@@ -0,0 +1,20 @@
+
+module("luci.controller.ipsec-server", package.seeall)
+
+function index()
+	if not nixio.fs.access("/etc/config/ipsec") then
+		return
+	end
+
+	entry({"admin", "vpn", "ipsec-server"},alias("admin", "vpn", "ipsec-server", "basic"),_("IPSec VPN Server"), 10).dependent = false
+	entry({"admin", "vpn", "ipsec-server", "basic"},cbi("ipsec-server/ipsec-server"),_("Basic"), 10).leaf = true
+	entry({"admin", "vpn", "ipsec-server", "user"},form("ipsec-server/userlist"),_("User"), 20).leaf = true
+	entry({"admin", "vpn", "ipsec-server","status"},call("act_status")).leaf=true
+end
+
+function act_status()
+  local e={}
+  e.running=luci.sys.call("pgrep ipsec >/dev/null")==0
+  luci.http.prepare_content("application/json")
+  luci.http.write_json(e)
+end

luci-app-ipsec-vpnd/luasrc/model/cbi/ipsec-server/ipsec-server.lua

@@ -0,0 +1,41 @@
+
+mp = Map("ipsec", translate("IPSec VPN Server"))
+mp.description = translate("IPSec VPN connectivity using the native built-in VPN Client on iOS or Andriod (IKEv1 with PSK and Xauth)")
+
+mp:section(SimpleSection).template  = "ipsec/ipsec_status"
+
+s = mp:section(NamedSection, "ipsec", "service")
+s.anonymouse = true
+
+enabled = s:option(Flag, "enabled", translate("Enable"))
+enabled.default = 0
+enabled.rmempty = false
+
+clientip = s:option(Value, "clientip", translate("VPN Client IP"))
+clientip.datatype = "ip4addr"
+clientip.description = translate("LAN DHCP reserved started IP addresses with the same subnet mask")
+clientip.optional = false
+clientip.rmempty = false
+
+clientdns = s:option(Value, "clientdns", translate("VPN Client DNS"))
+clientdns.datatype = "ip4addr"
+clientdns.description = translate("DNS using in VPN tunnel.Set to the router's LAN IP is recommended")
+clientdns.optional = false
+clientdns.rmempty = false
+
+
+secret = s:option(Value, "secret", translate("Secret Pre-Shared Key"))
+secret.password = true
+
+local apply = luci.http.formvalue("cbi.apply")
+if apply then
+	local bbrbox = luci.http.formvalue("cbid.ipsec.ipsec.enabled")
+	if bbrbox then
+		luci.sys.exec("ipsec reload")
+		luci.sys.exec("ipsec start")
+	else
+		luci.sys.exec("ipsec stop")
+	end
+end
+
+return mp

luci-app-ipsec-vpnd/luasrc/model/cbi/ipsec-server/userlist.lua

@@ -0,0 +1,24 @@
+local fs = require "nixio.fs"
+local conffile = "/etc/config/ipsec.users"
+
+f = SimpleForm("custom", translate("IPSec VPN User List"), translate("Please refer to the following writing.account:password"))
+
+t = f:field(TextValue, "conf")
+t.rmempty = true
+t.rows = 13
+function t.cfgvalue()
+	return fs.readfile(conffile) or ""
+end
+
+function f.handle(self, state, data)
+	if state == FORM_VALID then
+		if data.conf then
+			fs.writefile(conffile, data.conf:gsub("\r\n", "\n"))
+			luci.sys.call("/etc/init.d/ipsec reload")
+			luci.sys.call("/etc/init.d/ipsec restart")
+		end
+	end
+	return true
+end
+
+return f

luci-app-ipsec-vpnd/luasrc/view/ipsec/ipsec_status.htm

@@ -0,0 +1,22 @@
+<script type="text/javascript">//<![CDATA[
+XHR.poll(3, '<%=url([[admin]], [[vpn]], [[ipsec-server]], [[status]])%>', null,
+	function(x, data) {
+		var tb = document.getElementById('ipsec_status');
+		if (data && tb) {
+			if (data.running) {
+				var links = '<em><b><font color=green>IPSec VPN <%:RUNNING%></font></b></em>';
+				tb.innerHTML = links;
+			} else {
+				tb.innerHTML = '<em><b><font color=red>IPSec VPN <%:NOT RUNNING%></font></b></em>';
+			}
+		}
+	}
+);
+//]]>
+</script>
+<style>.mar-10 {margin-left: 50px; margin-right: 10px;}</style>
+<fieldset class="cbi-section">
+	<p id="ipsec_status">
+		<em><%:Collecting data...%></em>
+	</p>
+</fieldset>

luci-app-ipsec-vpnd/po/zh-cn/ipsec.po

@@ -0,0 +1,38 @@
+msgid "IPSec VPN Server"
+msgstr "IPSec VPN 服务器"
+
+msgid "IPSec VPN User List"
+msgstr "IPSec VPN 用户列表"
+
+msgid "IPSec VPN connectivity using the native built-in VPN Client on iOS or Andriod (IKEv1 with PSK and Xauth)"
+msgstr "使用iOS 或者 Andriod (IKEv1 with PSK and Xauth) 原生内置 IPSec VPN 客户端进行连接"
+
+msgid "VPN Client IP"
+msgstr "VPN客户端地址段"
+
+msgid "LAN DHCP reserved started IP addresses with the same subnet mask"
+msgstr "VPN客户端使用DHCP保留空余IP的起始地址，必须和路由器LAN同一个子网掩码，例如 192.168.8.100/24"
+
+msgid "Please refer to the following writing.account:password"
+msgstr "请按照格式填写。账号:密码"
+
+msgid "VPN Client DNS"
+msgstr "VPN客户端DNS服务器"
+
+msgid "DNS using in VPN tunnel.Set to the router's LAN IP is recommended"
+msgstr "指定VPN客户端的DNS地址。推荐设置为路由器的LAN IP，例如 192.168.8.1"
+
+msgid "Secret Pre-Shared Key"
+msgstr "PSK密钥"
+
+msgid "IPSec VPN Server status"
+msgstr "IPSec VPN 服务器运行状态"
+
+msgid "Enable"
+msgstr "启用"
+
+msgid "Basic"
+msgstr "基本设置"
+
+msgid "User"
+msgstr "用户设置"

luci-app-ipsec-vpnd/root/etc/config/ipsec

@@ -0,0 +1,9 @@
+
+config service 'ipsec'
+	option clientdns '192.168.8.1'
+	option account 'myvpn'
+	option secret 'myvpn'
+	option enabled '1'
+	option password 'myvpn'
+	option clientip '192.168.8.150/24'
+

luci-app-ipsec-vpnd/root/etc/config/ipsec.users

@@ -0,0 +1,7 @@
+# account:password
+myvpn:myvpn
+myvpn1:myvpn1
+myvpn2:myvpn2
+myvpn3:myvpn3
+myvpn4:myvpn4
+myvpn5:myvpn5

luci-app-ipsec-vpnd/root/etc/init.d/ipsec

@@ -0,0 +1,442 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=10
+
+USE_PROCD=1
+PROG=/usr/lib/ipsec/starter
+
+. $IPKG_INSTROOT/lib/functions.sh
+. $IPKG_INSTROOT/lib/functions/network.sh
+
+IPSEC_SECRETS_FILE=/etc/ipsec.secrets
+IPSEC_CONN_FILE=/etc/ipsec.conf
+STRONGSWAN_CONF_FILE=/etc/strongswan.conf
+
+IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
+IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
+STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
+
+WAIT_FOR_INTF=0
+
+file_reset() {
+	: > "$1"
+}
+
+xappend() {
+	local file="$1"
+	shift
+
+	echo "${@}" >> "${file}"
+}
+
+remove_include() {
+	local file="$1"
+	local include="$2"
+
+	sed -i "\_${include}_d" "${file}"
+}
+
+remove_includes() {
+	remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
+	remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
+	remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
+}
+
+do_include() {
+	local conf="$1"
+	local uciconf="$2"
+	local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
+
+	[ ! -f "${conf}" ] && rm -rf "${conf}"
+	touch "${conf}"
+
+	cat "${conf}" | grep -v "${uciconf}" > "${backup}"
+	mv "${backup}" "${conf}"
+	xappend "${conf}" "include ${uciconf}"
+	file_reset "${uciconf}"
+}
+
+ipsec_reset() {
+	do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
+}
+
+ipsec_xappend() {
+	xappend "${IPSEC_VAR_CONN_FILE}" "$@"
+}
+
+swan_reset() {
+	do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
+}
+
+swan_xappend() {
+	xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
+}
+
+secret_reset() {
+	do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
+}
+
+secret_xappend() {
+	xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
+}
+
+warning() {
+	echo "WARNING: $@" >&2
+}
+
+add_crypto_proposal() {
+	local encryption_algorithm
+	local hash_algorithm
+	local dh_group
+
+	config_get encryption_algorithm  "$1" encryption_algorithm
+	config_get hash_algorithm        "$1" hash_algorithm
+	config_get dh_group              "$1" dh_group
+
+	[ -n "${encryption_algorithm}" ] && \
+		crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
+}
+
+set_crypto_proposal() {
+	local conf="$1"
+	local proposal
+
+	crypto=""
+
+	config_get crypto_proposal "$conf" crypto_proposal ""
+	for proposal in $crypto_proposal; do
+		add_crypto_proposal "$proposal"
+	done
+
+	[ -n "${crypto}" ] && {
+		local force_crypto_proposal
+
+		config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
+
+		[ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
+	}
+
+	crypto_proposal="${crypto}"
+}
+
+config_conn() {
+	# Generic ipsec conn section shared by tunnel and transport
+	local mode
+	local local_subnet
+	local local_nat
+	local local_sourceip
+	local local_updown
+	local local_firewall
+	local remote_subnet
+	local remote_sourceip
+	local remote_updown
+	local remote_firewall
+	local ikelifetime
+	local lifetime
+	local margintime
+	local keyingtries
+	local dpdaction
+	local dpddelay
+	local inactivity
+	local keyexchange
+
+	config_get mode                     "$1"           mode "route"
+	config_get local_subnet             "$1"           local_subnet ""
+	config_get local_nat                "$1"           local_nat ""
+	config_get local_sourceip           "$1"           local_sourceip ""
+	config_get local_updown             "$1"           local_updown ""
+	config_get local_firewall           "$1"           local_firewall ""
+	config_get remote_subnet            "$1"           remote_subnet ""
+	config_get remote_sourceip          "$1"           remote_sourceip ""
+	config_get remote_updown            "$1"           remote_updown ""
+	config_get remote_firewall          "$1"           remote_firewall ""
+	config_get ikelifetime              "$1"           ikelifetime "3h"
+	config_get lifetime                 "$1"           lifetime "1h"
+	config_get margintime               "$1"           margintime "9m"
+	config_get keyingtries              "$1"           keyingtries "3"
+	config_get dpdaction                "$1"           dpdaction "none"
+	config_get dpddelay                 "$1"           dpddelay "30s"
+	config_get inactivity               "$1"           inactivity
+	config_get keyexchange              "$1"           keyexchange "ikev2"
+
+	[ -n "$local_nat" ] && local_subnet=$local_nat
+
+	ipsec_xappend "conn $config_name-$1"
+	ipsec_xappend "  left=%any"
+	ipsec_xappend "  right=$remote_gateway"
+
+	[ -n "$local_sourceip" ] && ipsec_xappend "  leftsourceip=$local_sourceip"
+	[ -n "$local_subnet" ] && ipsec_xappend "  leftsubnet=$local_subnet"
+
+	[ -n "$local_firewall" ] && ipsec_xappend "  leftfirewall=$local_firewall"
+	[ -n "$remote_firewall" ] && ipsec_xappend "  rightfirewall=$remote_firewall"
+
+	ipsec_xappend "  ikelifetime=$ikelifetime"
+	ipsec_xappend "  lifetime=$lifetime"
+	ipsec_xappend "  margintime=$margintime"
+	ipsec_xappend "  keyingtries=$keyingtries"
+	ipsec_xappend "  dpdaction=$dpdaction"
+	ipsec_xappend "  dpddelay=$dpddelay"
+
+	[ -n "$inactivity" ] && ipsec_xappend "  inactivity=$inactivity"
+
+	if [ "$auth_method" = "psk" ]; then
+		ipsec_xappend "  leftauth=psk"
+		ipsec_xappend "  rightauth=psk"
+
+		[ "$remote_sourceip" != "" ] && ipsec_xappend "  rightsourceip=$remote_sourceip"
+		[ "$remote_subnet" != "" ] && ipsec_xappend "  rightsubnet=$remote_subnet"
+
+		ipsec_xappend "  auto=$mode"
+	else
+		warning "AuthenticationMethod $auth_method not supported"
+	fi
+
+	[ -n "$local_identifier" ] && ipsec_xappend "  leftid=$local_identifier"
+	[ -n "$remote_identifier" ] && ipsec_xappend "  rightid=$remote_identifier"
+	[ -n "$local_updown" ] && ipsec_xappend "  leftupdown=$local_updown"
+	[ -n "$remote_updown" ] && ipsec_xappend "  rightupdown=$remote_updown"
+	ipsec_xappend "  keyexchange=$keyexchange"
+
+	set_crypto_proposal "$1"
+	[ -n "${crypto_proposal}" ] && ipsec_xappend "  esp=$crypto_proposal"
+	[ -n "${ike_proposal}" ] && ipsec_xappend "  ike=$ike_proposal"
+}
+
+config_tunnel() {
+	config_conn "$1"
+
+	# Specific for the tunnel part
+	ipsec_xappend "  type=tunnel"
+}
+
+config_transport() {
+	config_conn "$1"
+
+	# Specific for the transport part
+	ipsec_xappend "  type=transport"
+}
+
+config_remote() {
+	local enabled
+	local gateway
+	local pre_shared_key
+	local auth_method
+
+	config_name=$1
+
+	config_get_bool enabled "$1" enabled 0
+	[ $enabled -eq 0 ] && return
+
+	config_get gateway           "$1" gateway
+	config_get pre_shared_key    "$1" pre_shared_key
+	config_get auth_method       "$1" authentication_method
+	config_get local_identifier  "$1" local_identifier ""
+	config_get remote_identifier "$1" remote_identifier ""
+
+	[ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
+
+	[ -z "$local_identifier" ] && {
+		local ipdest
+
+		[ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
+		local_gateway=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
+	}
+
+	[ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
+	[ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
+
+	secret_xappend ": PSK \"$pre_shared_key\""
+
+	set_crypto_proposal "$1"
+	ike_proposal="$crypto_proposal"
+
+	config_list_foreach "$1" tunnel config_tunnel
+
+	config_list_foreach "$1" transport config_transport
+
+	ipsec_xappend ""
+}
+
+config_ipsec() {
+	local debug
+	local rtinstall_enabled
+	local routing_tables_ignored
+	local routing_table
+	local routing_table_id
+	local interface
+	local device_list
+
+	ipsec_reset
+	secret_reset
+	swan_reset
+
+	ipsec_xappend "# generated by /etc/init.d/ipsec"
+	ipsec_xappend "version 2"
+	ipsec_xappend ""
+
+	secret_xappend "# generated by /etc/init.d/ipsec"
+
+	config_get debug "$1" debug 0
+	config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
+	[ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
+
+	# prepare extra charon config option ignore_routing_tables
+	for routing_table in $(config_get "$1" "ignore_routing_tables"); do
+		if [ "$routing_table" -ge 0 ] 2>/dev/null; then
+			routing_table_id=$routing_table
+		else
+			routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
+		fi
+
+		[ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
+	done
+
+	local interface_list=$(config_get "$1" "interface")
+	if [ -z "$interface_list" ]; then
+		WAIT_FOR_INTF=0
+	else
+		for interface in $interface_list; do
+			network_get_device device $interface
+			[ -n "$device" ] && append device_list "$device" ","
+		done
+		[ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
+	fi
+
+	swan_xappend "# generated by /etc/init.d/ipsec"
+	swan_xappend "charon {"
+	swan_xappend "  load_modular = yes"
+	swan_xappend "  install_routes = $install_routes"
+	[ -n "$routing_tables_ignored" ] && swan_xappend "  ignore_routing_tables = $routing_tables_ignored"
+	[ -n "$device_list" ] && swan_xappend "  interfaces_use = $device_list"
+	swan_xappend "    plugins {"
+	swan_xappend "      include /etc/strongswan.d/charon/*.conf"
+	swan_xappend "    }"
+	swan_xappend "  syslog {"
+	swan_xappend "    identifier = ipsec"
+	swan_xappend "    daemon {"
+	swan_xappend "      default = $debug"
+	swan_xappend "    }"
+	swan_xappend "    auth {"
+	swan_xappend "      default = $debug"
+	swan_xappend "    }"
+	swan_xappend "  }"
+	swan_xappend "}"
+}
+
+prepare_env() {
+	mkdir -p /var/ipsec
+	remove_includes
+	config_load ipsec
+	config_foreach config_ipsec ipsec
+	config_foreach config_remote remote
+}
+
+service_running() {
+	ipsec status > /dev/null 2>&1
+}
+
+reload_service() {
+  local bool vt_enabled=`uci get ipsec.@service[0].enabled 2>/dev/null`
+  [ "$vt_enabled" = 0 ] && /etc/init.d/ipsec stop && return
+	running && {
+		prepare_env
+		[ $WAIT_FOR_INTF -eq 0 ] && {
+			ipsec rereadall
+			ipsec reload
+			return
+		}
+	}
+	[ "$vt_enabled" = 1 ] && start
+}
+
+check_ipsec_interface() {
+	local intf
+
+	for intf in $(config_get "$1" interface); do
+		procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload
+	done
+}
+
+service_triggers() {
+	procd_add_reload_trigger "ipsec"
+	config load "ipsec"
+	config_foreach check_ipsec_interface ipsec
+}
+
+start_service() {
+  local vt_enabled=`uci get ipsec.@service[0].enabled 2>/dev/null`
+	local vt_clientip=`uci get ipsec.@service[0].clientip`
+	local vt_clientdns=`uci get ipsec.@service[0].clientdns`
+	local vt_account=`uci get ipsec.@service[0].account`
+	local vt_password=`uci get ipsec.@service[0].password 2>/dev/null`
+	local vt_secret=`uci get ipsec.@service[0].secret 2>/dev/null`
+	
+	[ "$vt_enabled" = 0 ] && /etc/init.d/ipsec stop && return
+	
+	cat > /etc/ipsec.conf <<EOF
+# ipsec.conf - strongSwan IPsec configuration file
+
+# basic configuration
+
+config setup
+    # strictcrlpolicy=yes
+    uniqueids=never
+
+# Add connections here.
+
+conn xauth_psk
+	keyexchange=ikev1
+	ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536
+  esp=aes128-sha1,3des-sha1
+	left=%defaultroute
+	leftauth=psk
+	leftsubnet=0.0.0.0/0
+	right=%any
+	rightauth=psk
+	rightauth2=xauth
+	rightsourceip=$vt_clientip
+	rightdns=$vt_clientdns
+	auto=add
+EOF
+
+
+
+title='/etc/config/'
+title1='/etc/'
+file=$title'ipsec.users'
+file1=$title1'ipsec.secrets'
+temp=$(sed '/^$/d;/^\#/d;/:/d;s/-----//g' $file)
+sed -n  -i -e '/^$/d;/^\#/d;s@[a-z]@&@g;/:/p' $file
+
+sed -i '1,$d' $file1
+sed -n  -e '/^$/d;/^\#/d;s@[a-z]@&@g;/:/p' $file >>$file1
+sed -i 's/:/ :/g;s/:/& XAUTH "/g;s/$/&"/g' $file1
+sed -i '1i: PSK "'$vt_secret'"' $file1
+sed -i '1i# /etc/ipsec.secrets - strongSwan IPsec secrets file'  $file1
+sed -i '1i#---account:password---'  $file
+if [ "$temp" == "" ]; then 
+	temp='-----'$temp'-----'
+else
+	temp='-----'$temp'-----'
+	echo $temp >> $file
+fi
+	prepare_env
+
+	[ $WAIT_FOR_INTF -eq 1 ] && return
+
+	procd_open_instance
+
+	procd_set_param command $PROG --daemon charon --nofork
+
+	procd_set_param file $IPSEC_CONN_FILE
+	procd_append_param file $IPSEC_SECRETS_FILE
+	procd_append_param file $STRONGSWAN_CONF_FILE
+	procd_append_param file /etc/strongswan.d/*.conf
+	procd_append_param file /etc/strongswan.d/charon/*.conf
+
+	procd_set_param respawn
+
+	procd_close_instance
+}

luci-app-ipsec-vpnd/root/etc/ipsec.include

@@ -0,0 +1,11 @@
+iptables -D FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT 2>/dev/null
+iptables -D FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT 2>/dev/null
+iptables -D INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT 2>/dev/null
+iptables -D OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT 2>/dev/null
+
+iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
+iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
+iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+echo 1 > /proc/sys/net/ipv4/conf/br-lan/proxy_arp

luci-app-ipsec-vpnd/root/etc/uci-defaults/ipsec

@@ -0,0 +1,54 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete firewall.ipsecd
+	set firewall.ipsecd=include
+	set firewall.ipsecd.type=script
+	set firewall.ipsecd.path=/etc/ipsec.include
+	set firewall.ipsecd.reload=1
+	commit firewall
+EOF
+
+uci -q batch <<-EOF >/dev/null
+  delete firewall.ike
+  add firewall rule
+  rename firewall.@rule[-1]="ike"
+  set firewall.@rule[-1].name="ike"
+  set firewall.@rule[-1].target="ACCEPT"
+  set firewall.@rule[-1].src="wan"
+  set firewall.@rule[-1].proto="udp"
+  set firewall.@rule[-1].dest_port="500"
+  delete firewall.ipsec
+  add firewall rule
+  rename firewall.@rule[-1]="ipsec"
+  set firewall.@rule[-1].name="ipsec"
+  set firewall.@rule[-1].target="ACCEPT"
+  set firewall.@rule[-1].src="wan"
+  set firewall.@rule[-1].proto="udp"
+  set firewall.@rule[-1].dest_port="4500"
+  delete firewall.ah
+  add firewall rule
+  rename firewall.@rule[-1]="ah"
+  set firewall.@rule[-1].name="ah"
+  set firewall.@rule[-1].target="ACCEPT"
+  set firewall.@rule[-1].src="wan"
+  set firewall.@rule[-1].proto="ah"
+  delete firewall.esp
+  add firewall rule
+  rename firewall.@rule[-1]="esp"
+  set firewall.@rule[-1].name="esp"
+  set firewall.@rule[-1].target="ACCEPT"
+  set firewall.@rule[-1].src="wan"
+  set firewall.@rule[-1].proto="esp"
+  commit firewall
+EOF
+
+uci -q batch <<-EOF >/dev/null
+	delete ucitrack.@ipsec[-1]
+	add ucitrack ipsec
+	set ucitrack.@ipsec[-1].init=ipsec
+	commit ucitrack
+EOF
+
+rm -f /tmp/luci-indexcache
+exit 0

openmptcprouter-full/Makefile

@@ -31,6 +31,7 @@ MY_DEPENDS := \
     libnetfilter-conntrack ebtables ebtables-utils ip-full \
     iptables-mod-iface iptables-mod-ipmark iptables-mod-hashlimit iptables-mod-condition iptables-mod-trace iptables-mod-conntrack-extra iptables-mod-account \
     kmod-nf-nat kmod-nf-nathelper kmod-nf-nathelper-extra iptables-mod-extra \
+    iptables-mod-ipsec kmod-crypto-authenc kmod-ipsec kmod-ipsec4 kmod-ipsec6 kmod-ipt-ipsec \
     wireless-tools \
     libiwinfo-lua \
     ca-bundle ca-certificates libustream-openssl \
@@ -78,7 +79,7 @@ MY_DEPENDS := \
     kmod-usb-net-huawei-cdc-ncm kmod-usb-net-rndis kmod-usb-net-cdc-ether kmod-usb-net-ipheth usbmuxd \
     kmod-rt2800-usb kmod-rtl8xxxu kmod-rtl8192cu kmod-net-rtl8192su \
     luci-proto-qmi wpad-basic kmod-mt7601u kmod-rtl8187 \
-    wireguard
+    wireguard luci-app-ipsec-vpnd
 #    softethervpn5-client softethervpn5-server
 
 #    luci-app-mlvpn ubond \