The D-Link DI-804HV can create IPSEC tunnels to OpenSWAN with fairly standard settings.
THE CATCH: There is one very big catch to setting up an IPSEC tunnel with the DI-804HV, which is that the shared key is limited to 20 characters. This however is not documented anywhere and if you attempt to use a shared key longer than 20 characters, no error will be given but you will see the following log messages:
discarding duplicate packet; already STATE_MAIN_I3
ANOTHER CATCH: It seems that if you set the "Max. number of tunnels" setting on the D-Link equal to the actual number of tunnels configured, the tunnel will initiate but will drop off when it attempts to re-key (after an hour).
Example IPSEC configuration:
ipsec.conf for OpenSWAN:
conn jmp-cgy
left=5.6.7.8
leftid=5.6.7.8
leftsubnet=192.168.2.0/24
leftnexthop=%defaultroute
right=1.2.3.4
rightsubnet=192.168.1.0/24
rightid=1.2.3.4
rightnexthop=1.2.3.5
keyexchange=ike
ikelifetime=240m
keylife=3600s
pfs=yes
compress=no
authby=secret
keyingtries=0
auto=start
The %defaultroute setting for leftnexthop seems to fix an issue with the tunnel dropping after a certain period of time.
On the DI-804HV:
Tunnel Name: (Any *short* name you want) Aggressive Mode: NOT checked Local Subnet: 192.168.1.0 Local Netmask: 255.255.255.0 Remote Subnet: 192.168.2.0 Remote Netmask: 255.255.255.0 Remote Gateway: 5.6.7.8 IKE Keep Alive: (Can be left blank or can be an active IP on the remote subnet) Preshare Key: (Your shared key - *MAXIMUM 20 CHARACTERS*) Extended Authentication: NOT Enabled IPSec NAT Traversal: NOT Enabled Remote ID: IP Address Value: 5.6.7.8 <- Set to external IP of remote gateway Local ID: IP Address Value: 1.2.3.4 <- Set to external IP of D-Link ----- IKE PROPOSAL INDEX ------- Proposal Name: IKE Proposal DH Group: Group 2 Encrypt Algorithm: 3DES Auth Algorithm: MD5 Life Time: 28800 ----- IPSEC PROPOSAL INDEX ----- Proposal Name: IPSEC Proposal DH Group: Group 2 Encap Protocol: ESP Encrypt algorithm: 3DES Auth algorithm: SHA1 Life Time: 3600 *NOTE:* For the two proposal index settings above, you must select the index number of the settings you filled in (usually 1) and click the "Add to" proposal index button.
For the setup above, I'm using 1.2.3.4 for the external IP of the D-Link, 5.6.7.8 for the external IP of the remote gateway, 192.168.1.0/24 for the subnet behind the D-Link and 192.168.2.0/24 for the subnet behind the remote gateway. You will have to replace all these numbers with the values that correspond to your network. You will also have to add an entry into your ipsec.secrets file with a value for the shared key.
