Asus IPSEC Vpn Server

Maloon · Apr 28, 2019

sinshiva said:
wild guess, but i read somewhere that iOS proposes ciphers that it wont actually use (specifically >modp1024), maybe defaults changed between versions or something, so try the ciphers i'm using by adding the following;

ike = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
esp = aes128gcm128-ecp384bp-noesn,aes256-sha256,aes256-sha1

This will force iOS to use ecp256, which it does merrily for me.

Tried, but ipsec keeps crashing. This is the log:

Code:

07[NET] received packet: from 213.143.61.85[3005] to 192.168.1.10[500] (604 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
07[IKE] 213.143.61.85 is initiating an IKE_SA
07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
07[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[3005] (58 bytes)
07[NET] received packet: from 213.143.61.85[3005] to 192.168.1.10[500] (412 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
07[IKE] 213.143.61.85 is initiating an IKE_SA
07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
07[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[3005] (301 bytes)
13[NET] received packet: from 213.143.61.85[3008] to 192.168.1.10[4500] (512 bytes)
13[ENC] unknown attribute type (25)
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
13[CFG] looking for peer configs matching 192.168.1.10[mydomain.com]...213.143.61.85[iOS]
13[CFG] selected peer config 'IKEv2-EAP'
13[IKE] initiating EAP_IDENTITY method (id 0x00)
13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
13[IKE] peer supports MOBIKE

sinshiva · Apr 28, 2019

honestly, this still looks like the leftsendcert directive being the issue to me, i was stuck on it for a minute. idk why it would work with my swanctl.conf style config and not your ipsec.conf config, though.

[edit/] could be my mistake, try leftsendcert=yes

Maloon · Apr 28, 2019

sinshiva said:
honestly, this still looks like the leftsendcert directive being the issue to me, i was stuck on it for a minute. idk why it would work with my swanctl.conf style config and not your ipsec.conf config, though.

I understand that you use swanctl.conf style config and your iOS devices connect well using user/password, no?

sinshiva · Apr 28, 2019

Maloon said:
I understand that you use swanctl.conf style config and your iOS devices connect well using user/password, no?

yes, but try the edit in my last first

Maloon · Apr 28, 2019

sinshiva said:
yes, but try the edit in my last first

Hello again @sinshiva

I configured your setup, and I modified with my network values. But now, iOS is telling me that user/password are wrong. Where I must put user/password?

Log:

Code:

12[NET] received packet: from 213.143.61.85[15831] to 192.168.1.10[500] (604 bytes)
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
12[IKE] 213.143.61.85 is initiating an IKE_SA
12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
12[IKE] local host is behind NAT, sending keep alives
12[IKE] remote host is behind NAT
12[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
12[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
12[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[15831] (58 bytes)
14[NET] received packet: from 213.143.61.85[15831] to 192.168.1.10[500] (412 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
14[IKE] 213.143.61.85 is initiating an IKE_SA
14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
14[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[15831] (301 bytes)
05[NET] received packet: from 213.143.61.85[15824] to 192.168.1.10[4500] (512 bytes)
05[ENC] unknown attribute type (25)
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
05[CFG] looking for peer configs matching 192.168.1.10[mydomain.com]...213.143.61.85[iOS]
05[CFG] selected peer config 'ikev2-eap-mschapv2'
05[IKE] initiating EAP_IDENTITY method (id 0x00)
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE] peer supports MOBIKE
05[IKE] no private key found for 'mydomain.com'
05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
05[NET] sending packet: from 192.168.1.10[4500] to 213.143.61.85[15824] (80 bytes)

sinshiva · Apr 28, 2019

in my config, at the bottom is where i configure my users;

un: adrian
pw: adriansecret

as an example

<edit/>

it looks like your server key is the problem, though.

do you have the merlinswan.sh created and configured to add the location of your server.key to /etc/ipsec.secrets ?

Maloon · Apr 28, 2019

sinshiva said:
in my config, at the bottom is where i configure my users;

un: adrian
pw: adriansecret

as an example

<edit/>

it looks like your server key is the problem, though.

do you have the merlinswan.sh created and configured to add the location of your server.key to /etc/ipsec.secrets ?

It is crashing again

I don't know why doesn't work.

Log:

Code:

05[NET] received packet: from 213.143.61.85[30604] to 192.168.1.10[500] (604 bytes)
05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
05[IKE] 213.143.61.85 is initiating an IKE_SA
05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
05[IKE] local host is behind NAT, sending keep alives
05[IKE] remote host is behind NAT
05[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
05[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
05[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[30604] (58 bytes)
06[NET] received packet: from 213.143.61.85[30604] to 192.168.1.10[500] (412 bytes)
06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
06[IKE] 213.143.61.85 is initiating an IKE_SA
06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
06[IKE] local host is behind NAT, sending keep alives
06[IKE] remote host is behind NAT
06[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
06[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[30604] (301 bytes)

swanctl.conf

Code:

# In this config, I am creating two XAUTH user conns for Cisco IPSEC clients (iOS) and a fairly universal IKEv2 conn
# One will pass all traffic.  The other will split-tunnel.
# This is not an ideal config for scale.  Better to use the 'include' directive to a swanctl_base.conf

connections {

    ikev2-eap-mschapv2 { # IKEv2 instance designed for splittunnel/routeall compatible with WINDOWS
        version = 2
        proposals = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
        rekey_time = 0s
        pools = pool-windows
        fragmentation = yes
        dpd_delay = 30s
        local-1 {
            certs = /jffs/.le/mydomain.com/cert.pem
            id = mydomain.com
        }
        remote-1 {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            ikev2-eap-mschapv2 {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128gcm128-ecp384bp-noesn,aes256-sha256,aes256-sha1
                updown = /usr/lib/ipsec/_updown iptables
                hostaccess = yes
            }
        }
    }

}

pools {
    pool-splittunnel { # SPLIT TUNNEL TO HOME LAN 192.168.68.0/24
        addrs = 172.28.69.0/24
        dns = 10.0.0.1
        28674 = "YOURLAN.local"
        28675 = "YOURLAN.local"
        split_include = 10.0.0.0/24 # REPLACE WITH YOUR LAN
    }


    pool-routeall { # ROUTE ALL
        addrs = 172.28.68.0/24
        dns = 10.0.0.1
    }

    pool-windows {
    addrs = 10.0.0.144/28 # range WITHIN lan subnet for splittunnel
    dns = 10.0.0.1
    }

}

authorities {
    letsencrypt {
        cacert = /jffs/.le/mydomain.com/chain.pem
    }
}

secrets {
    ike-one {
        secret = "nospaces"
    }

    xauth-adrian {
        id = myuser
        secret = "mypassword"
    }
    xauth-adriansplit {
        id = adriansplit
        secret = "adriansplitsecret"
    }
#    rsa {
#        file = domain.key # absolute path no worky, use /etc/ipsec.secrets for server key.
#    }
}

sinshiva · Apr 28, 2019

paste the merlinswan.sh and service-start scripts - i don't think you are loading the server key

Maloon · Apr 28, 2019

sinshiva said:
paste the merlinswan.sh and service-start scripts - i don't think you are loading the server key

cat /etc/ipsec.secrets

Code:

: RSA /jffs/.le/mydomain.com/domain.key

cat /jffs/scripts/merlinswan.sh

Code:

#!/bin/sh

ipsec stop
sleep 1s
echo > /etc/ipsec.conf
echo > /etc/ipsec.secrets
echo ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" >> /etc/ipsec.secrets
cp -f /jffs/configs/swanctl.conf /etc/swanctl/swanctl.conf
ipsec start
sleep 1s
swanctl --load-all

cat /jffs/scripts/services-start

Code:

#!/bin/sh

sleep 1s
/bin/sh /jffs/scripts/merlinswan.sh

/etc/ipsec.conf is empty.

And many thanks for your help!

sinshiva · Apr 28, 2019

ok, one other question, i see the server is configured with 10.0.0.0/24 as your lan subnet and you have 192.168.1.0/24 in connect logs, what's that about?

also, run /jffs/scripts/service-start and then try to connect one more time

[edit/]

probably wouldn't hurt to change xauth-adrian to xauth-myuser btw

Maloon · Apr 28, 2019

sinshiva said:
ok, one other question, i see the server is configured with 10.0.0.0/24 as your lan subnet and you have 192.168.1.0/24 in connect logs, what's that about?

also, run /jffs/scripts/service-start and then try to connect one more time

[edit/]

probably wouldn't hurt to change xauth-adrian to xauth-myuser btw

Change xauth-adrian to xauth-myuser and nothing has changed.

My network is:
Internet - (WAN Public IP addr) ISP router (LAN 192.168.1.1) - (WAN 192.168.1.10) ASUS Router (LAN 10.0.0.1) MyNetwork 10.0.0.0/24
My ISP Router has as DMZ 192.168.1.10, that is ASUS Router.

sinshiva · Apr 28, 2019

Maloon said:
Change xauth-adrian to xauth-myuser and nothing has changed.

My network is:
Internet - (WAN Public IP addr) ISP router (LAN 192.168.1.1) - (WAN 192.168.1.10) ASUS Router (LAN 10.0.0.1) MyNetwork 10.0.0.0/24
My ISP Router has as DMZ 192.168.1.10, that is ASUS Router.

double nat? are you forwarding port 4500 on isp router to asus router? and then are you trying to connect from LTE, not wifi?

Maloon · Apr 28, 2019

sinshiva said:
double nat? are you forwarding port 4500 on isp router to asus router? and then are you trying to connect from LTE, not wifi?

double nat? Yes
are you forwarding port 4500 on isp router to asus router? Yes, I forward all TCP and UDP ports (1-65535).
are you trying to connect from LTE, not wifi? Of course. Here is 4G.

The case is that my IKEv2 setup worked fine until 384.10 release.

sinshiva · Apr 28, 2019

run merlinswan.sh then post new connect logs from swanctl --log

Maloon · Apr 28, 2019

sinshiva said:
run merlinswan.sh then post new connect logs from swanctl --log

./merlinswan.sh

Code:

Stopping strongSwan IPsec...
Starting weakSwan 5.7.2 IPsec [starter]...
loaded ike secret 'ike-one'
loaded xauth secret 'xauth-myuser'
loaded xauth secret 'xauth-adriansplit'
loaded authority 'letsencrypt'
successfully loaded 1 authorities, 0 unloaded
loaded pool 'pool-splittunnel'
loaded pool 'pool-routeall'
loaded pool 'pool-windows'
successfully loaded 3 pools, 0 unloaded
loaded connection 'ikev2-eap-mschapv2'
successfully loaded 1 connections, 0 unloaded

swanctl --log

Code:

14[NET] received packet: from 213.143.61.85[22805] to 192.168.1.10[500] (604 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
14[IKE] 213.143.61.85 is initiating an IKE_SA
14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
14[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[22805] (58 bytes)
07[NET] received packet: from 213.143.61.85[22805] to 192.168.1.10[500] (412 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
07[IKE] 213.143.61.85 is initiating an IKE_SA
07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
07[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[22805] (301 bytes)
11[NET] received packet: from 213.143.61.85[22811] to 192.168.1.10[4500] (512 bytes)
11[ENC] unknown attribute type (25)
11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
11[CFG] looking for peer configs matching 192.168.1.10[mydomain.com]...213.143.61.85[iOS]
11[CFG] selected peer config 'ikev2-eap-mschapv2'
11[IKE] initiating EAP_IDENTITY method (id 0x00)
11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
11[IKE] peer supports MOBIKE

And then, VPN server crashes and restarts.

Syslog:

Code:

Apr 28 22:50:08 ipsec_starter[9688]: charon has died -- restart scheduled (5sec)
Apr 28 22:50:15 ipsec_starter[9688]: charon (9903) started after 1680 ms

sinshiva · Apr 28, 2019

~~weird. do you also forward port 500 on the isp router? if so, remove it~~

Maloon · Apr 28, 2019

sinshiva said:
weird. do you also forward port 500 on the isp router? if so, remove it

I can not remove it. My ISP router sucks, but I need it because it has the ONT built-in and the home-phone.

sinshiva · Apr 28, 2019

[edit/] JK, i see the problem lol, you are missing 'send_cert = always' , don't think you used my most recent edit of the swanctl.conf

sorry, idk why but one of my edits didn't take or something; your connection should look something like

Code:

    ikev2-eap-mschapv2 { # IKEv2
        version = 2
        proposals = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
        rekey_time = 0s
        pools = pool-ikev2
        fragmentation = yes
        dpd_delay = 30s
        send_cert = always

i corrected it again in my original post

Maloon · Apr 28, 2019

sinshiva said:
[edit/] JK, i see the problem lol, you are missing 'send_cert = always' , don't think you used my most recent edit of the swanctl.conf

sorry, idk why but one of my edits didn't take or something; your connection should look something like

Code:

ikev2-eap-mschapv2 { # IKEv2 version = 2 proposals = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024 rekey_time = 0s pools = pool-ikev2 fragmentation = yes dpd_delay = 30s send_cert = always

i corrected it again in my original post

It crashes again, but log is different:

Code:

10[NET] received packet: from 213.143.61.85[56041] to 192.168.1.10[500] (604 bytes)
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
10[IKE] 213.143.61.85 is initiating an IKE_SA
10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
10[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[56041] (58 bytes)
14[NET] received packet: from 213.143.61.85[56041] to 192.168.1.10[500] (412 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
14[IKE] 213.143.61.85 is initiating an IKE_SA
14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
14[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[56041] (301 bytes)
09[NET] received packet: from 213.143.61.85[56042] to 192.168.1.10[4500] (512 bytes)
09[ENC] unknown attribute type (25)
09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

sinshiva · Apr 28, 2019

Maloon said:

It crashes again, but log is different:

Code:

10[NET] received packet: from 213.143.61.85[56041] to 192.168.1.10[500] (604 bytes)
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
10[IKE] 213.143.61.85 is initiating an IKE_SA
10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
10[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[56041] (58 bytes)
14[NET] received packet: from 213.143.61.85[56041] to 192.168.1.10[500] (412 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
14[IKE] 213.143.61.85 is initiating an IKE_SA
14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
14[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[56041] (301 bytes)
09[NET] received packet: from 213.143.61.85[56042] to 192.168.1.10[4500] (512 bytes)
09[ENC] unknown attribute type (25)
09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

when you editted your swanctl.conf, did you ONLY add the 'send_cert = always' line?

also, be sure to remove or comment out the xauth-adriansplit user, don't want to leave yourself open there.

if you only added the line and changed nothing else, re run merlinswan.sh and try to connect again just to be sure. if it still fails, make sure server: mydomain.com AND Remote ID: mydomain.com on iOS. if that's all good, i'd mv and replace your letsencrypt certs, then rerun merlinswan.sh

Thread starter	Title	Forum	Replies	Date
A	Tailscale and Asus Merlin Router	VPN	16	Nov 8, 2024
G	Pi-Hole + Asus WRT Wireguard	VPN	1	Sep 20, 2024
L	Client to client disabled when using static IP on OpenVPN ASUS RT-AC3200	VPN	31	Jun 21, 2024
M	Asus OpenVpn Server behind behind another router (Google Mesh).	VPN	1	Jun 14, 2024
C	Instant Guard IPsec VPN Log Showing Regular Access Attempts	VPN	3	Mar 3, 2024
F	Trick to getting ipsec working in windows 11?	VPN	1	Dec 26, 2023
L	VPN included with router or extra fees?	VPN	4	Nov 13, 2024
	Frustrating VPN Double NAT Issues	VPN	5	Oct 24, 2024
S	One website cannot be accessed when VPN is on	VPN	7	Aug 15, 2024
L	VPN service question	VPN	9	Jul 25, 2024

Asus IPSEC Vpn Server

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

Very Senior Member

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest