Search results
-
[Experimental] WireGuard for HND platform (4.1.x kernels)
bump for sheer awesomeness and to say two things; i don't think @Odkrys spelled it out quite clearly enough: Wireguard does not endorse using TunSafe. And the bossman himself said they have a functional windows client very nearly about to go live, so be patient. -
Asus IPSEC Vpn Server
when you editted your swanctl.conf, did you ONLY add the 'send_cert = always' line? also, be sure to remove or comment out the xauth-adriansplit user, don't want to leave yourself open there. if you only added the line and changed nothing else, re run merlinswan.sh and try to connect again... -
Asus IPSEC Vpn Server
[edit/] JK, i see the problem lol, you are missing 'send_cert = always' , don't think you used my most recent edit of the swanctl.conf sorry, idk why but one of my edits didn't take or something; your connection should look something like ikev2-eap-mschapv2 { # IKEv2 version = 2... -
Asus IPSEC Vpn Server
weird. do you also forward port 500 on the isp router? if so, remove it -
Asus IPSEC Vpn Server
run merlinswan.sh then post new connect logs from swanctl --log -
Asus IPSEC Vpn Server
double nat? are you forwarding port 4500 on isp router to asus router? and then are you trying to connect from LTE, not wifi? -
Asus IPSEC Vpn Server
ok, one other question, i see the server is configured with 10.0.0.0/24 as your lan subnet and you have 192.168.1.0/24 in connect logs, what's that about? also, run /jffs/scripts/service-start and then try to connect one more time [edit/] probably wouldn't hurt to change xauth-adrian to... -
Asus IPSEC Vpn Server
paste the merlinswan.sh and service-start scripts - i don't think you are loading the server key -
Asus IPSEC Vpn Server
in my config, at the bottom is where i configure my users; un: adrian pw: adriansecret as an example <edit/> it looks like your server key is the problem, though. do you have the merlinswan.sh created and configured to add the location of your server.key to /etc/ipsec.secrets ? -
-
Asus IPSEC Vpn Server
honestly, this still looks like the leftsendcert directive being the issue to me, i was stuck on it for a minute. idk why it would work with my swanctl.conf style config and not your ipsec.conf config, though. [edit/] could be my mistake, try leftsendcert=yes -
Asus IPSEC Vpn Server
wild guess, but i read somewhere that iOS proposes ciphers that it wont actually use (specifically >modp1024), maybe defaults changed between versions or something, so try the ciphers i'm using by adding the following; ike = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024 esp =... -
Asus IPSEC Vpn Server
ok, now it's something wrong with the leftsendcert directive, post your postconf file -
Asus IPSEC Vpn Server
well, my first guess would be that something is wrong with your certs. i'd do mv /jffs/.le /jffs/.le_old and toggle letsencrypt from the webui. after it succeeds in pulling new certs; toggle the ipsec serveer from the webui -
Asus IPSEC Vpn Server
Using asuswrt-merlin? Are you using @Odkrys postconf script or the swanctl.conf i posted ? From ssh, use swanctl --log and post what happens when your iOS devices try to connect -
nf_conntrack: expectation table full and other log oddities
have you noticed this happening when 5ghz drops clients?- sinshiva
- Post #18
- Forum: Asuswrt-Merlin
-
Asus IPSEC Vpn Server
well, my ikev2 connection from my workstation to home stayed up overnight during a nasty storm, so idk why yours is having trouble, sorry. -
Asus IPSEC Vpn Server
Not sure, i'd have to play with it more to figure out if that's a server timeout issue or a client issue. to completely disable ikev1 in the SWANCTL.CONF above, just delete the sections: ikev1-psk-xauth-routeall { } ikev1-psk-xauth-splittunnel { } Also a sidenote, it looks like ikev2 on... -
Asus IPSEC Vpn Server
RESOLVED: IKEv2 inside router ip crapola - 'hostaccess = yes' - i was tired, forgive me. :p RESOLVED: IKEv2 iOS clients - 'send_cert = always' coolbeans @Odkrys add leftsendcert=always to fix iOS clients Cleaned up ciphers; Recommend using the better cipher for windows by adding connection... -
Asus IPSEC Vpn Server
Nobody should use IKEv1 _UNLESS_ you have a very specific situation that requires it. My situation is that i use an iPhone/iPad and have T-Mobile. The native iOS L2TP/IPSEC client and the IKEv2 clients fail with T-Mobile's nat64 LTE infrastructure. Because of this, i was running an ASA5505...