Menu
What's new
By:
Filters Better Search

Asus IPSEC Vpn Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sinshiva said:
well, my ikev2 connection from my workstation to home stayed up overnight during a nasty storm, so idk why yours is having trouble, sorry.
Click to expand...
This my Ipsec IKE_V2 server status
A picture is better than words, this is my status when I connect from my windows 10 native client

upload_2019-4-30_15-19-2.png

As you can see the client status says "Connecting...", and after 2 to 3 hours access time it disconnects by itself

With my Android client, the status says connected and there are some values in the PSKR Auth Time, and the server or client does not seem to disconnect

upload_2019-4-30_15-56-15.png
 
Last edited:
Sh0cker54 said:
This my Ipsec IKE_V2 server status
A picture is better than words, this is my status when I connect from my windows 10 native client

View attachment 17304
As you can see the client status says "Connecting...", and after 2 to 3 hours access time it disconnects by itself

With my Android client, the status says connected and there are some values in the PSKR Auth Time, and the server or client does not seem to disconnect

View attachment 17306
Click to expand...

Please test with
rekey=no

Code: 
pc_append "  dpddelay=10s" $CONFIG
pc_append "  rekey=no" $CONFIG
pc_append "  auto=add" $CONFIG
 
Hello Odkrys
I've tested with rekey=no
Now the ikev2 vpn is up after 4 hours on windows 10 native client (Status says connecting... ) vpn is working great
but after a while 2 -3 hours, I still can't ping my router ip address, and dns resolution does not work anymore....
Vpn is up but nothing pass inside the tunnel, I have to stop the vpn and restart it to make it work again ....

Update:
Today the Ikev2 vpn is up after 5 hours and still working great!
It's working now without disconnecting with windows 10 native client
Thanx for your help

upload_2019-5-3_13-33-9.png
 
Last edited:
sinshiva said:
when you editted your swanctl.conf, did you ONLY add the 'send_cert = always' line?

also, be sure to remove or comment out the xauth-adriansplit user, don't want to leave yourself open there.

if you only added the line and changed nothing else, re run merlinswan.sh and try to connect again just to be sure. if it still fails, make sure server: mydomain.com AND Remote ID: mydomain.com on iOS. if that's all good, i'd mv and replace your letsencrypt certs, then rerun merlinswan.sh
Click to expand...

@sinshiva Many thanks for your help. Finally, I migrated to OpenVPN using Apple Configurator Profiles to let iOS to manage onDemand features. So, I disabled IPSec in any form.
 
Hi all sorry if I'm digging this up. But im trying to get a EAP ipsec server running on my AC88U to connect to with Strongswan on Android but it only seems to support PSK on the ui. I tried this:

Odkrys said:
@Sh0cker54

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.

nano /jffs/scripts/ipsec.postconf
Code: 
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG

nano /jffs/scripts/strongswan.postconf
Code: 
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" /etc/ipsec.secrets

chmod +x /jffs/scripts/ipsec.postconf /jffs/scripts/strongswan.postconf
Click to expand...

but when I run ipsec.postconf i get:

admin@RT-AC88U-3EA8:/jffs/scripts# ./ipsec.postconf
./ipsec.postconf: line 5: can't create : nonexistent directory
./ipsec.postconf: line 6: can't create : nonexistent directory
./ipsec.postconf: line 7: can't create : nonexistent directory
./ipsec.postconf: line 8: can't create : nonexistent directory
./ipsec.postconf: line 9: can't create : nonexistent directory
./ipsec.postconf: line 10: can't create : nonexistent directory
./ipsec.postconf: line 11: can't create : nonexistent directory
./ipsec.postconf: line 12: can't create : nonexistent directory
./ipsec.postconf: line 13: can't create : nonexistent directory
./ipsec.postconf: line 14: can't create : nonexistent directory
./ipsec.postconf: line 15: can't create : nonexistent directory
./ipsec.postconf: line 16: can't create : nonexistent directory
./ipsec.postconf: line 17: can't create : nonexistent directory
./ipsec.postconf: line 18: can't create : nonexistent directory
./ipsec.postconf: line 19: can't create : nonexistent directory
./ipsec.postconf: line 20: can't create : nonexistent directory
./ipsec.postconf: line 21: can't create : nonexistent directory
./ipsec.postconf: line 22: can't create : nonexistent directory
./ipsec.postconf: line 23: can't create : nonexistent directory
./ipsec.postconf: line 24: can't create : nonexistent directory
./ipsec.postconf: line 25: can't create : nonexistent directory
./ipsec.postconf: line 26: can't create : nonexistent directory
./ipsec.postconf: line 27: can't create : nonexistent directory

What am I doing wrong? In the script i simply replaced ddns_hostname_x with my ddns hostname
 
Odkrys said:
@Sh0cker54

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.

nano /jffs/scripts/ipsec.postconf
Code: 
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG

nano /jffs/scripts/strongswan.postconf
Code: 
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" /etc/ipsec.secrets

chmod +x /jffs/scripts/ipsec.postconf /jffs/scripts/strongswan.postconf
Click to expand...
Does this script (rather than using the Web GUI) enable VPN clients to access LAN?
I'm trying to permit VPN users access to a SMB share but I don't think the IPSEC web Permits this?
 
Quick updates regarding Let's Encrypt in the newest version 384.14 Beta with ACMEv2 support. (I was using the LE certificate only for IPSEC IKEv2, with ODKRYS' ipsec.postconf script.)

First, to get LE certificate to authorize in WAN > DDNS, I had to enable the Web UI HTTPS through Administration > System even though I don't plan to use it since I only access web UI on internal network.

Next, to connect to my home IPSEC VPN, I had to modify the following values in ODKRYS' script:

Original: pc_append " cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
New: pc_append " cacert=/jffs/.le/$(nvram get ddns_hostname_x)/ca.cer" $CONFIG

Original: pc_append " leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
New: pc_append " leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/my.domain.cer" $CONFIG

*The fullchain.pem is no longer split into chain.pem + cert.pem.
 
Last edited:
DigitizedMe said:
Quick updates regarding Let's Encrypt in the newest version 384.14 Beta with ACMEv2 support. (I was using the LE certificate only for IPSEC IKEv2, with ODKRYS' ipsec.postconf script.)

First, to get LE certificate to authorize in WAN > DDNS, I had to enable the Web UI HTTPS through Administration > System even though I don't plan to use it since I only access web UI on internal network.

Next, to connect to my home IPSEC VPN, I had to modify the following values in ODKRYS' script:

Original: pc_append " cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
New: pc_append " cacert=/jffs/.le/$(nvram get ddns_hostname_x)/ca.cer" $CONFIG

Original: pc_append " leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
New: pc_append " leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/my.domain.cer" $CONFIG

*The fullchain.pem is no longer split into chain.pem + cert.pem.
Click to expand...
yea mine no longer connects after 384.14 even with these changes.
 
All of my stuff is legit the same as it should be, but it is not letting me connect to the server. It is giving me an error that the server is not responding when I try to connect. For a brief second it will show it attempting to connect then the client disappears
 
SomeWhereOverTheRainBow said:
I think I may be missing some firewall rules on the router maybe?
Click to expand...
Have you tried backing up your current config, then doing a 30/30/30 reset and manual reconfigure? You can always restore later if it still doesn't work. :D
 
There is no such thing as a 30/30/30 reset on Asus routers. :)
 
I thought I'd done that with my n66u in the past, but no question that you are right. Holding down for 30 after plugin would put it into recovery mode.

I'd do L&LD's nuclear reset from the link in his sig.
 
DigitizedMe said:
Have you tried backing up your current config, then doing a 30/30/30 reset and manual reconfigure? You can always restore later if it still doesn't work. :D
Click to expand...
yea it isn't a need to reset. everything else runs as it should. i think there is something broken with steps of this guide. maybe if you post your config steps I could see why mine isn't working as i followed steps from earlier post on setting it up down to the letter.
 
I've noticed a lot of talk about how certain aspects have been incorporated into Merlin, and how others have updated codes or have given specific advice based on Apple OS configurations. So I'm not really confident where to begin and/or end with adding code.

So I'm just asking at this point in 2020 what does someone running Windows 10 have to do to get Ipsec IKE_V2 running?
 
MaverickPenguinX said:
I've noticed a lot of talk about how certain aspects have been incorporated into Merlin, and how others have updated codes or have given specific advice based on Apple OS configurations. So I'm not really confident where to begin and/or end with adding code.

So I'm just asking at this point in 2020 what does someone running Windows 10 have to do to get Ipsec IKE_V2 running?
Click to expand...

Hi
ASUS IPSEC IKEv1 XAUTH/PSK server to IKEv1 XAUTH/PSK + IKEv2 EAP server.
Both profiles can run parallel.
You should to get Let's encrypt certificate for your ddns.
Without letsencrypt, you need to generate self-signed certificate and install CA to trusted root CA of each devices. I don't like this progress.

Just follow these threads
IKEv2 server share the same username and password with IKEv1.
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/#post-473984
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/page-4#post-531279

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.
Here is my latest ipsec.postconf

nano /jffs/scripts/ipsec.postconf

Code: 
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/ca.cer" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/$(nvram get ddns_hostname_x).cer" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  rekey=no" $CONFIG
pc_append "  auto=add" $CONFIG

For windows add connection via powershell:

Add-VpnConnection -Name "home" -ServerAddress YOURDOMAIN.asuscomm.com -TunnelType "Ikev2"
 
Last edited:
You must log in or register to reply here.

Similar threads

O
Establishment of an IPsec client on an ASUS router to a fritz box
Replies
2
Views
403
Ola Malmstrom
O
XIII
AdGuard VPN (IPSec/IKEv2) not possible as VPN client on Asuswrt-Merlin?
Replies
1
Views
969
RMerlin
RMerlin
P
Cannot access internet on asus vpn server Openvpn
Replies
17
Views
584
eibgrad
eibgrad
C
Does Asus' IPsec implementation allow LAN access?
Replies
7
Views
1K
aex.perez
aex.perez
T
GT-BE98 Pro, IPsec problem
Replies
0
Views
942
terrierl
T
Similar threads
Thread starter Title Forum Replies Date
G Pi-Hole + Asus WRT Wireguard VPN 1
L Client to client disabled when using static IP on OpenVPN ASUS RT-AC3200 VPN 31
M Asus OpenVpn Server behind behind another router (Google Mesh). VPN 1
C Instant Guard IPsec VPN Log Showing Regular Access Attempts VPN 3
F Trick to getting ipsec working in windows 11? VPN 1
Paul Short Frustrating VPN Double NAT Issues VPN 5
S One website cannot be accessed when VPN is on VPN 7
L VPN service question VPN 9
B VPN router with Wifi to internet router VPN 7
gdgross More VPN server questions VPN 8

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 776 (members: 24, guests: 752)
Top