Asus IPSEC Vpn Server

[MaverickPenguinX]

Hi
ASUS IPSEC IKEv1 XAUTH/PSK server to IKEv1 XAUTH/PSK + IKEv2 EAP server.
Both profiles can run parallel.
You should to get Let's encrypt certificate for your ddns.
Without letsencrypt, you need to generate self-signed certificate and install CA to trusted root CA of each devices. I don't like this progress.

Just follow these threads
IKEv2 server share the same username and password with IKEv1.
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/#post-473984
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/page-4#post-531279

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.
Here is my latest ipsec.postconf

nano /jffs/scripts/ipsec.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/ca.cer" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/$(nvram get ddns_hostname_x).cer" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  rekey=no" $CONFIG
pc_append "  auto=add" $CONFIG

For windows add connection via powershell:

Add-VpnConnection -Name "home" -ServerAddress YOURDOMAIN.asuscomm.com -TunnelType "Ikev2"

I added in the code you suggested and I get the error that my IKE Credentials are unacceptable. I'm not quite sure what you mean by IKE 1 udername and pass is the same as IKE2, are we talking about the IPSec username and pass that you make in the Asus IPsec VPN section?

 

[Sh0cker54]

yes we are talking about the same IPSec username and pass that you make in the Asus IPsec VPN section
Ok first try to make the native ipsec vpn server work (IKEV1)
and then use the same credentials for IKEv2, it should work
you need to reboot once after adding the ipsec.postconf file

 

[MaverickPenguinX]

yes we are talking about the same IPSec username and pass that you make in the Asus IPsec VPN section
Ok first try to make the native ipsec vpn server work (IKEV1)
and then use the same credentials for IKEv2, it should work
you need to reboot once after adding the ipsec.postconf file

View attachment 20693

I already had a username and pass in the area you've described. And I had already rebooted. I'll try added another profile and turning the router on and off. Will update you then

 

[MaverickPenguinX]

yes we are talking about the same IPSec username and pass that you make in the Asus IPsec VPN section
Ok first try to make the native ipsec vpn server work (IKEV1)
and then use the same credentials for IKEv2, it should work
you need to reboot once after adding the ipsec.postconf file

View attachment 20693

I was able to connect with my android device. My phone showed up as connected, and my asus router showed there was a vpn connection established, but my phone couldn't access any internet whether in browser or app.

 

[Sh0cker54]

If your android device showed up connected then your vpn is working... It seems like a DNS issue.

Check your LAN settings => DNS Filter => is it enabled?
Here is my configuration

 

[MaverickPenguinX]

If your android device showed up connected then your vpn is working... It seems like a DNS issue.

Check your LAN settings => DNS Filter => is it enabled?
Here is my configuration

View attachment 20709

I feel like this shouldn't be an issue. When I connect via IKEV1 from my computer there was never this issue.

Update: I tried putting in a similar DNS setting like you've provided (except with ad blocking DNS) and the phone still isn't working.

 

[Sh0cker54]

ok try to put dns settings in the client, to check if this is a dns issue
but you're right via IKEV1 it should work.

For IKEV2 did you provide the

strongswan.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" /etc/ipsec.secrets

 

[MaverickPenguinX]

ok try to put dns settings in the client, to check if this is a dns issue
but you're right via IKEV1 it should work.

For IKEV2 did you provide the

strongswan.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" /etc/ipsec.secrets

I had but I also did it again with your code just to make sure.

 

[XIII]

What would be good instructions to try this with iOS devices (iPhone/iPad) as client?

For the server part: I don't use Let's Encrypt for the asuscomm.com DDNS, but I guess I can make it work for my own subdomain with LE that redirects to the router?

 

[Sh0cker54]

on android you can test IKEv2 with strongSwan and check the log if something goes wrong

 

[MaverickPenguinX]

on android you can test IKEv2 with strongSwan and check the log if something goes wrong

I just connected a Windows 10 machine. According to the Asus VPN page my connection stayed consistently on "connecting" and never showed as connected despite me being connected. My IP address showed up as being a part of the VPN address when I went to what'smyip but I couldn't run any speed tests due to a SOCK error. I was also unable to remote connect to windows 10 machines that have remote connection enabled.

 

[Net Noob]

Hello everyone.

Thanks to the good people on SNB, iv managed to do quite a lot with my Asus AC86u router. I have managed to successfully setup Diversion, DNScrypt, an OpenVPN client which connects to NordVPN and an IPsec / IKEV2 server which my android mobile connects to.

My question is: would there be a way to send internet traffic from my mobile through the IPsec / IKEV2 server through to the OpenVPN client? (which I assume would go through DNScrypt / Diversion etc). I have found some code which I have been trying to adapt:

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE

This code works when trying to send OpenVPN server internet traffic through to an OpenVPN client. Could this be altered in a way which could send the IPsec / IKEV2 server internet traffic through to the OpenVPN client instead? I can't find the reference to the IPsec / IKEV2 tunnel when I try:

nvram show

Via SSH on the router itself.

I'm not sure if this is even possible

Any help would be greatly appreciated.

Thanks.

 

[tarzan2000]

Nobody should use IKEv1 _UNLESS_ you have a very specific situation that requires it. My situation is that i use an iPhone/iPad and have T-Mobile. The native iOS L2TP/IPSEC client and the IKEv2 clients fail with T-Mobile's nat64 LTE infrastructure. Because of this, i was running an ASA5505 for a while and had two group profiles, one that would tell my iPhone to route ALL traffic and another to SPLIT-TUNNEL. I *only* intend to use the IKEv1 IPSEC client for iOS. I also borrowed from this thread to add an IKEv2 instance and altered it slightly to be compatible with Windows weirdness regarding splittunnelling.

Hello!
Could you help in my problem?
I did everything according to your instructions, but I do not understand this problem.
After applying the settings and rebooting the router, I don’t see the /jffs directory in the directory ./le ...... strange.

Perhaps I was mistaken in editing the script for my data. Can you clarify whether I filled out everything correctly.?

My Lan 10.7.0.0/24
My Router 10.7.0.1

LAN for Route all 10.10.11.0/24
LAN for SplitTunnel 10.20.11.0/24
Lan for Windows client 10.30.11.0/24
2 User with passwd

auth = psk, should I change something here?

Spoiler: My code

# In this config, I am creating two XAUTH user conns for Cisco IPSEC clients (iOS) and a fairly universal IKEv2 conn
# One will pass all traffic.  The other will split-tunnel.
# This is not an ideal config for scale.  Better to use the 'include' directive to a swanctl_base.conf

connections {

    ikev1-psk-xauth-routeall { # First Cisco IPSEC instance to ROUTE ALL traffic
        version = 1
        proposals = aes128-sha1-modp1024
        rekey_time = 0s
        pools = pool-routeall
        fragmentation = yes
        dpd_delay = 30s
        dpd_timeout = 90s
        local-1 {
            auth = psk
        }
        remote-1 {
            auth = psk
        }
        remote-2 {
            auth = xauth
        xauth_id = ExtNet
        }
        children {
            ikev1-psk-xauth {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128-sha1
                updown = /usr/lib/ipsec/_updown iptables
            }
        }
    }

    ikev1-psk-xauth-splittunnel { # Second Cisco IPSEC instance to SPLIT-TUNNEL LAN traffic
        version = 1
        proposals = aes128-sha1-modp1024
        rekey_time = 0s
        pools = pool-splittunnel
        fragmentation = yes
        dpd_delay = 30s
        dpd_timeout = 90s
        send_cert = always
        local-1 {
            auth = psk
        }
        remote-1 {
            auth = psk
        }
        remote-2 {
            auth = xauth
        xauth_id = LocalNet
        }
        children {
            ikev1-psk-xauth {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128-sha1
                updown = /usr/lib/ipsec/_updown iptables
            }
        }
    }

    ikev2-eap-mschapv2 { # IKEv2 instance designed for splittunnel/routeall compatible with WINDOWS
        version = 2
        proposals = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024,aes256-sha1-modp2048,aes512-sha1-modp2048,aes512-sha512-modp2048
        rekey_time = 0s
        pools = pool-windows
        fragmentation = yes
        dpd_delay = 30s
        send_cert = always
        local-1 {
            certs = /jffs/.le/xxx.asuscomm.com/cert.pem
            id = xxx.asuscomm.com
        }
        remote-1 {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            ikev2-eap-mschapv2 {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128gcm128-ecp384bp-noesn,aes256-sha256,aes256-sha1,aes512-sha1,aes512-sha2,aes512-sha512
                updown = /usr/lib/ipsec/_updown iptables
                hostaccess = yes
            }
        }
    }

}

pools {
    pool-splittunnel { # SPLIT TUNNEL TO HOME LAN 10.7.0.0/24
        addrs = 10.10.11.0/24
        dns = 10.7.0.1
        28674 = "AC86U.local"
        28675 = "AC86U.local"
        split_include = 10.7.0.0/24 # REPLACE WITH YOUR LAN
    }


    pool-routeall { # ROUTE ALL
        addrs = 10.20.11.0/24
        dns = 10.7.0.1
    }

    pool-windows {
    addrs = 10.30.11.0/24 # range WITHIN lan subnet for splittunnel
    dns = 10.7.0.1
    }
 
}

authorities {
    letsencrypt {
        cacert = /jffs/.le/xxx.asuscomm.com/chain.pem
    }
}

secrets {
    ike-one {
        secret = MySecret phase without " "
    }

    xauth-ExtNet {
        id = ExtNet
        secret = MySecret password without " "
    }
    xauth-LocalNet {
        id = LocalNet
        secret = MySecret password without " "
    }
#    rsa {
#        file = domain.key # absolute path no worky, use /etc/ipsec.secrets for server key.
#    }

Apr 22 11:47:40 07[IKE] no IKE config found for 128.xxx.xx.xxx...83.xxx.xxx.xxx, sending NO_PROPOSAL_CHOSEN
Apr 22 11:47:40 07[IKE] IKE_SA (unnamed)[195] state change: CREATED => DESTROYING

 

[Boysa22]

Hello!

First of all thanks to the posts and the help of @Odkrys, @sinshiva and @DigitizedMe. Thanks a lot to @RMerlin too for creating the Merlin Firmware.

I just wanted to share some info of my newbie experince with Ipsec on Asus. It turns out that the router creates and insists of using its own signed certificate for IKEv2 even if you first enable DDNS and then enable VPN Server/IPsec. So your scripts and info helped a lot in "pointing" the ipsec service to the right certificates with Letsencrypt. I tested this behaviour on latest 386.7_Beta 2 and also on previous 386.5_2.

I found out that even the connection was sucessfull my connected clients were not able to reach local network. It turned out that this was the firewall blocking traffic from 10.10.10.0/24 which was the clients address space. So I needed to create nat_start script and put the following:

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -d 192.168.1.0/24 -j MASQUERADE

In addtion some clients where having problems when rightsourceip=10.10.10.0/24. So I needed to change this to rightsourceip=10.10.10.2/24

I hope this info can help someone, who also like me was in the same situation, searching for a proper way to use Ipsec VPN.

 

[Boysa22]

Hello everyone.

Thanks to the good people on SNB, iv managed to do quite a lot with my Asus AC86u router. I have managed to successfully setup Diversion, DNScrypt, an OpenVPN client which connects to NordVPN and an IPsec / IKEV2 server which my android mobile connects to.

My question is: would there be a way to send internet traffic from my mobile through the IPsec / IKEV2 server through to the OpenVPN client? (which I assume would go through DNScrypt / Diversion etc). I have found some code which I have been trying to adapt:

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE

This code works when trying to send OpenVPN server internet traffic through to an OpenVPN client. Could this be altered in a way which could send the IPsec / IKEV2 server internet traffic through to the OpenVPN client instead? I can't find the reference to the IPsec / IKEV2 tunnel when I try:

nvram show

Via SSH on the router itself.

I'm not sure if this is even possible

Any help would be greatly appreciated.

Thanks.

Hi,

It is a very wild guess, but probably you can create an VTI interface for IPSec and then use it your commands to forward the traffic.

I found this here on how to create an interface:

Route-Based VPN

 

[glsmith86]

Hi Everyone!

I have an Galaxy S22 Ultra. I can't connect to the native IPSEC VPN server.
What can I do for working this?

 

[L&LD]

Welcome to the forums @glsmith86.

What router? What firmware? What options and features do you use past defaults?

 

[glsmith86]

Welcome to the forums @glsmith86.

What router? What firmware? What options and features do you use past defaults?

RT-AX56U router, 388.2_2 firmware.
Preshared key added, dead per detection on, user added for V1&V2. 500 and 4500 port forwarded on udp protocol.

Router runs transmission, lighttpd, diversion.

I have tried out psk and mschapv2 options.

 

[Ripshod]

Hi Everyone!

I have an Galaxy S22 Ultra. I can't connect to the native IPSEC VPN server.
What can I do for working this?

You're not testing over LAN are you?

 

[glsmith86]

You're not testing over LAN are you?

I tried out from LAN, but I can't connect to this.