Asus IPSEC Vpn Server

[bilboSNB]

Is it possible to somehow use the built in native Windows 10 vpn client to connect to the new Asus routers ipsec vpnserver rather than installing 3rd party software such as shrew?

 

[Odkrys]

I made simple script to make ASUS IKEv1 XAUTH/PSK server to IKEv1 XAUTH/PSK + IKEv2 EAP server.
Both profiles can run parallel.
You should to get Let's encrypt certificate for your ddns.
Without letsencrypt, you need to generate self-signed certificate and install CA to trusted root CA of each devices. I don't like this progress.

IKEv2 server share the same username and password with IKEv1.


EDIT : https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/#post-473984

 

[Sh0cker54]

Thank you very much Odkrys
Your solution is working great
Do you think Merlin could include your script in the next firmware release?
IKEv2 settings in the vpn ipsec parameters should be possible.
I asked Merlin but no answer so far.
With my connection Ikev2 is four times faster than openvpn with less latency.
It is by far the best vpn for rt-ac86u and with Windows 10 Ikev2 native client it works great.

 

[Neeham]

Thank you very much Odkrys
Your solution is working great
Do you think Merlin could include your script in the next firmware release?
IKEv2 settings in the vpn ipsec parameters should be possible.
I asked Merlin but no answer so far.
With my connection Ikev2 is four times faster than openvpn with less latency.
It is by far the best vpn for rt-ac86u and with Windows 10 Ikev2 native client it works great.

Does this still work?

I am getting the following error: Policy match error
when I try to connect to it.

Any solution? Thanks!

 

[Odkrys]

Does this still work?

I am getting the following error: Policy match error
when I try to connect to it.

Any solution? Thanks!

ipsec stroke loglevel cfg 2

will show what proposal received from client.
Add ike and esp cipher options like this.

  eap_identity=%any
  ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096!
  esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048!
EOF

 

[Sh0cker54]

Does this still work?

I am getting the following error: Policy match error
when I try to connect to it.

Any solution? Thanks!

Hello
Ipsec IKEv2 vpn works great on my RT-AC86U with 384.7 firmware.
Which firmware version do you have?

 

[Neeham]

ipsec stroke loglevel cfg 2

will show what proposal received from client.
Add ike and esp cipher options like this.

  eap_identity=%any
  ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096!
  esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048!
EOF

Hi Odkrys,

This is what I get after typing ipsec stroke loglevel cfg 2:

Nov 15 10:13:38 15[CFG] proposing traffic selectors for us:
Nov 15 10:13:38 15[CFG]  0.0.0.0/0
Nov 15 10:13:38 15[CFG] proposing traffic selectors for other:
Nov 15 10:13:38 15[CFG]  dynamic
Nov 15 10:13:42 13[CFG] proposing traffic selectors for us:
Nov 15 10:13:42 13[CFG]  0.0.0.0/0
Nov 15 10:13:42 13[CFG] proposing traffic selectors for other:
Nov 15 10:13:42 13[CFG]  dynamic
Nov 15 10:13:46 08[CFG] proposing traffic selectors for us:
Nov 15 10:13:46 08[CFG]  0.0.0.0/0
Nov 15 10:13:46 08[CFG] proposing traffic selectors for other:
Nov 15 10:13:46 08[CFG]  dynamic
Nov 15 10:13:50 11[CFG] proposing traffic selectors for us:
Nov 15 10:13:50 11[CFG]  0.0.0.0/0
Nov 15 10:13:50 11[CFG] proposing traffic selectors for other:
Nov 15 10:13:50 11[CFG]  dynamic
Nov 15 10:13:54 06[CFG] proposing traffic selectors for us:
Nov 15 10:13:54 06[CFG]  0.0.0.0/0
Nov 15 10:13:54 06[CFG] proposing traffic selectors for other:
Nov 15 10:13:54 06[CFG]  dynamic
Nov 15 10:13:58 09[CFG] proposing traffic selectors for us:
Nov 15 10:13:58 09[CFG]  0.0.0.0/0
Nov 15 10:13:58 09[CFG] proposing traffic selectors for other:
Nov 15 10:13:58 09[CFG]  dynamic
Nov 15 10:14:02 15[CFG] proposing traffic selectors for us:
Nov 15 10:14:02 15[CFG]  0.0.0.0/0
Nov 15 10:14:02 15[CFG] proposing traffic selectors for other:
Nov 15 10:14:02 15[CFG]  dynamic
Nov 15 10:14:06 07[CFG] proposing traffic selectors for us:
Nov 15 10:14:06 07[CFG]  0.0.0.0/0
Nov 15 10:14:06 07[CFG] proposing traffic selectors for other:
Nov 15 10:14:06 07[CFG]  dynamic
Nov 15 10:14:11 14[CFG] proposing traffic selectors for us:
Nov 15 10:14:11 14[CFG]  0.0.0.0/0
Nov 15 10:14:11 14[CFG] proposing traffic selectors for other:
Nov 15 10:14:11 14[CFG]  dynamic
Nov 15 10:14:14 05[CFG] proposing traffic selectors for us:
Nov 15 10:14:14 05[CFG]  0.0.0.0/0
Nov 15 10:14:14 05[CFG] proposing traffic selectors for other:
Nov 15 10:14:14 05[CFG]  dynamic
Nov 15 10:14:18 06[CFG] proposing traffic selectors for us:
Nov 15 10:14:18 06[CFG]  0.0.0.0/0
Nov 15 10:14:18 06[CFG] proposing traffic selectors for other:
Nov 15 10:14:18 06[CFG]  dynamic
Nov 15 10:14:23 10[CFG] proposing traffic selectors for us:
Nov 15 10:14:23 10[CFG]  0.0.0.0/0
Nov 15 10:14:23 10[CFG] proposing traffic selectors for other:
Nov 15 10:14:23 10[CFG]  dynamic
Nov 15 10:14:26 15[CFG] proposing traffic selectors for us:
Nov 15 10:14:26 15[CFG]  0.0.0.0/0
Nov 15 10:14:26 15[CFG] proposing traffic selectors for other:
Nov 15 10:14:26 15[CFG]  dynamic
Nov 15 10:14:30 13[CFG] proposing traffic selectors for us:
Nov 15 10:14:30 13[CFG]  0.0.0.0/0
Nov 15 10:14:30 13[CFG] proposing traffic selectors for other:
Nov 15 10:14:30 13[CFG]  dynamic
Nov 15 10:14:34 08[CFG] proposing traffic selectors for us:
Nov 15 10:14:34 08[CFG]  0.0.0.0/0
Nov 15 10:14:34 08[CFG] proposing traffic selectors for other:
Nov 15 10:14:34 08[CFG]  dynamic
Nov 15 10:14:38 05[CFG] proposing traffic selectors for us:
Nov 15 10:14:38 05[CFG]  0.0.0.0/0
Nov 15 10:14:38 05[CFG] proposing traffic selectors for other:
Nov 15 10:14:38 05[CFG]  dynamic
Nov 15 10:14:42 12[CFG] proposing traffic selectors for us:
Nov 15 10:14:42 12[CFG]  0.0.0.0/0
Nov 15 10:14:42 12[CFG] proposing traffic selectors for other:
Nov 15 10:14:42 12[CFG]  dynamic
Nov 15 10:14:46 09[CFG] proposing traffic selectors for us:
Nov 15 10:14:46 09[CFG]  0.0.0.0/0
Nov 15 10:14:46 09[CFG] proposing traffic selectors for other:
Nov 15 10:14:46 09[CFG]  dynamic

I am not sure where to enter those cipher options.

Hello
Ipsec IKEv2 vpn works great on my RT-AC86U with 384.7 firmware.
Which firmware version do you have?

Hi Shockers54,
I have an RT-AC5300 with the latest firmware of 384.7_2.

Edit: Typo

 

[Odkrys]

I am not sure where to enter those cipher options.

Try reconnection after executing the command.
in ikev2 scripts

 

[Neeham]

Try reconnection after executing the command.
in ikev2 scripts

Thank you!

It works

 

[prizm]

I made simple script to make ASUS IKEv1 XAUTH/PSK server to IKEv1 XAUTH/PSK + IKEv2 EAP server.
Both profiles can run parallel.
You should to get Let's encrypt certificate for you ddns.
Without letsencrypt, you need to generate self-signed certificate and install CA to trusted root CA of each devices. I don't like this progress.

IKEv2 server share the same username and password with IKEv1.

https://drive.google.com/open?id=1mXvR03eTpYJ7b18tt1-OVr_aWVbhHH7K

chmod a+rx /jffs/scripts/ikev2
echo "" >> /jffs/scripts/services-start
echo "sh /jffs/scripts/ikev2" >> /jffs/scripts/services-start

Turn IPSec on and run the script or reboot.

sh /jffs/scripts/ikev2

FYI, windows ikev2 vpn gui is buggy, so I recommend to use powershell after that edit it in gui.

https://hide.me/en/vpnsetup/windows10/ikev2/

Hi Odkrys,

I recently installed the Merlin WRT 384.8.2 on my RT-AC68u and I'd like to setup Ipsec/l2tp VPN server on it. Seems you got it worked successfully and I'd ask a little bit help from you setup it on my router if you wouldn't mind.

I checked the scripts and as I understood script relies on Ipsec binaries on the router but when I search on my router ipsec xl2tp2 or xauth etc I couldn't find anything about these. Are those needs to be installed via optware or entware? can you please provide me some guidance of how to get the missing components installed on the router so I can apply the scripts you created?

Thank you!

 

[Odkrys]

Hi Odkrys,

I recently installed the Merlin WRT 384.8.2 on my RT-AC68u and I'd like to setup Ipsec/l2tp VPN server on it. Seems you got it worked successfully and I'd ask a little bit help from you setup it on my router if you wouldn't mind.

I checked the scripts and as I understood script relies on Ipsec binaries on the router but when I search on my router ipsec xl2tp2 or xauth etc I couldn't find anything about these. Are those needs to be installed via optware or entware? can you please provide me some guidance of how to get the missing components installed on the router so I can apply the scripts you created?

Thank you!

There is no IPSec support on ac68u.

 

[prizm]

There is no IPSec support on ac68u.

I see. that's a bummer. Thank you for help. much appreciated.

 

[guho]

With this script, is it possible to set up the server allowing clients to connect without certificate, just ipsec preshared key, via windows native ipsec client? What config changes would I need to make in your script?Thanks.

Sent from my SM-G965U1 using Tapatalk

 

[Odkrys]

@Sh0cker54

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.

nano /jffs/scripts/ipsec.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG

nano /jffs/scripts/strongswan.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" /etc/ipsec.secrets

chmod +x /jffs/scripts/ipsec.postconf /jffs/scripts/strongswan.postconf

 

[Sh0cker54]

@Odkrys
Right now I'm on 384.7 it is rock solid, no reboot since 41 days, your ipsec IKEv2 vpn server works flawlessly.
I will try the next firmware 384.10 and the new strongSwan 5.7.2 or maybe 5.8.0 release?
Anyway thank you Odkrys for the new settings ipsec.postconf and strongswan.postconf

 

[TinMan11]

@Sh0cker54

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.

nano /jffs/scripts/ipsec.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG

nano /jffs/scripts/strongswan.postconf

#!/bin/sh
CONFIG=$CONFIG
source /usr/sbin/helper.sh

pc_append ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" /etc/ipsec.secrets

chmod +x /jffs/scripts/ipsec.postconf /jffs/scripts/strongswan.postconf

Thank you for this. Just to clarify, if we have already implemented the original instructions, we should undo those before putting these scripts into place?

 

[Odkrys]

Thank you for this. Just to clarify, if we have already implemented the original instructions, we should undo those before putting these scripts into place?

We don't need old script anymore.
Remove it.

 

[Maloon]

It was working until 384.10 version was released. My VPN clients are iOS devices (iPhones and iPads).

 

[Odkrys]

It was working until 384.10 version was released. My VPN clients are iOS devices (iPhones and iPads).

No way to test iOS sorry.

 

[RMerlin]

https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients