Asus VPN server (IPsec and Openvpn) Dropping Connection every hour-ish

[torstein]

New to the forum

MY SETUP
Router: AX58U
Firmware: Merlin 386.1.2
DDNS: asuscomm.com
Devices: iPhone 12 mini with iOS 14.4.1 and Macbook Pro macOS 11.2.3
DNS resolver: NextDNS (version 1.11.0 through merlinwrt nextdns cli)
VPN-clients: Tunnelblick (mac), OpenVPN (iOS) and Instant Guard (iOS) as well as built-in VPN in macOS and iOS

1.

Does anyone here experience their internet connection dropping / time-out after about an hour or so on manually set up IPsec or OpenVPN server on their Asus AX-routers with latest merlin firmware? Simply re-enabling the VPN client (on my mac or iphone) fixes it instantly, and then I'm good again for another hour, but it gets annoying having to do this multiple times a day.​

2.

Could it be the asuscomm.com DDNS? I'm suspecting it since all of the different VPN-server setups (only one running at a time) time out around the same one-hour mark (48m to 1h10m). The DDNS is the only thing they all have in common. Could it be that?​

3.

I've also reset my AX58U to factory settings, and set the entire router back up again manually. Didn't help. Tried Instant Guard, IPsec and OpenVPN with and without "remote connect" enabled. My internet works perfectly and then just dies after an hour for some reason. (other devices on my network works fine, it's just the vpn-client that loses connection to the asus vpn server)​

There's only one VPN-server running and one vpn client connected at all time, and it still times out. I've tried built in VPN-clients on my mac and iphone and 3rd party clients such as Instant Guard, OpenVPN, Tunnelblick. They all time out.​

4.

Could it be that my AX58U and current Merlin 386.1.2 doesn't play well with VPN-clients built-in and 3rd party?​

5.

Could it be that I have NextDNS cli running on my Merlin 386.1.2 that's confusing my VPN-server?​

Please help

I apolgise for making the mistake and post this wrongly in ASUS-wrt official, I meant to post it here in Asuswrt-Merlin. I've asked the moderator to delete it. Hopefully it gets removed soon, to avoid duplicates.

 

[ColinTaylor]

Look in the router's System Log.

 

[MvW]

1,2,4 and 5: No.
See Post #2 for any clues as to why your VPN goes down.

 

[torstein]

1,2,4 and 5: No.
See Post #2 for any clues as to why your VPN goes down.

you mean you have an idea what the issue is? i switched from asuscomm.com ddns to no-ip.com ddns but it made no difference, as it too timed out - this time around after 62 minutes, just like before. ugh...

if you know the answer, could you please let me have it? im so fed up with hours upon hours of testing, expecting different results but ending up with the same one

 

[ColinTaylor]

The suggestion is for you to look in the router's System Log for messages indicating the reason for the issue.

 

[torstein]

The suggestion is for you to look in the router's System Log for messages indicating the reason for the issue.

I don't understand much of the System log, it mostly just says sending packets, receiving packets, lots ip-numbers and regular dead-node-detections (DND scans), i searched for error but found nothing. what am i supposed to be looking for in the systemlog. I'm not an IT or network expert, so referring me to the system log is like telling a monkey to do heart surgery.

 

[ColinTaylor]

Save the log file and upload it to somewhere like dropbox/mediafile/zippyshare/pastebin etc. Then provide us with a link to that file so that we can look at it for you. Alternatively you could try attaching the log file to your forum post but that doesn't always work.

 

[torstein]

Save the log file and upload it to somewhere like dropbox/mediafile/zippyshare/pastebin etc. Then provide us with a link to that file so that we can look at it for you. Alternatively you could try attaching the log file to your forum post but that doesn't always work.

thanks thats kind of you. i will start logging it now. gonna take approx an hour before its ready, since thats when the connection dies.

btw, it will contain my ip adress to the router and also my phones 3G modem. is that safe to upload and post here? i guess a reboot of the router and 3g modem (airplane mode on and off) should reset my dnyamic IPs, so it doesnt matter?

 

[ColinTaylor]

Any private IP addresses, e.g. 192.168.x.y, 172.x.y.z or 10.x.y.z are not an issue. You might want to obscure your public IP address if that's shown.

 

[torstein]

Here's the log:
https://pastebin.com/xC2pT5Ca

I found a nice tool to replace text, and removed all the public IPs. The log was over 61 minutes and >1300 lines long, so I shorted it down to just include the interesting part where there's suddenly a:

"Mar 28 18:04:02 05[KNL] creating delete job for CHILD_SA ESP/0x03b3422f/Y.Y.Y.Y (MY IPHONE ON 4G WITH INSTANT GUARD)[****]"

just out of nowhere. That's when I lost the connection I presume.

 

[MvW]

The only thing I see in the two minutes of logfile you provided is that a dpd packet is sent (dead peer detection) and as there is apparently no activity anymore Instant Guard terminates the connection or the IKEv2 VPN does, either one of them. I presume it has a builtin timeout of 60 minutes and as encrypted communication drains more of your battery it decides to terminate the connection. As far as I'm aware the Instant Guard app was created to provide relatively safe way to setup and connect to your router remotely and to make the process to setup an IKEv2 connection easier, but it isn't designed as an 'always-on' VPN solution to stay in touch with home.

As for my reply on your first pow5, only 1,2,4 and 5 contained questions, which I all answered with a decisive 'no'. I use ProtonVPN. When at home, I connect via my router, which server as a VPN clients and has multiple continous connections to ProtonVPN servers. When disconnecting from one of the trusted Wifi networks at home (router through VPN), I use a third party app on iOS to activate ProtonVPN on my Iphone and I have the NextDNS certificate installed for adblockin, logging purposes etc. and have the third party app force custom DNS (from NextDNS) on my iPhone for on the road. That way I'm always using a VPN and NextDNS when on the road.

Do you only have issues with Instant Guard (as your logfile seems to show) or do you have a subscription with a VPN provder which allows you to stay online without a timeout?

If so, post more of your logfile. The info you posted shows nothing more then what I can conclude above.

Best regards,
Marco

 

[ColinTaylor]

In addition to @MvW's post, a quick Google search suggests that the timeout you're seeing might the default settings for IPSec. But I'm not familiar with Asus' implementation of it.

You said you had the same problem with OpenVPN. Can you do the same test with OpenVPN and upload that log file. OpenVPN tends to be more verbose about what's going on.

 

[torstein]

Oh wow, thanks guys for the response!

Here's the full entire log-file (61 minutes) while on Instant Guard:
https://pastebin.com/z4Xz6kGv


1) Do you only have issues with Instant Guard (as your logfile seems to show) or do you have a subscription with a VPN provder which allows you to stay online without a timeout?
Yes, I only have trouble with Instant Guard. I currently have Mullvad and used to have NordVPN. Never had any issues with them connection-wise. They were always-on, almost never disconnected, and when they did the kill-switch kicked in and worked beautifully before it reconnected again. The only thing is, if I can avoid a 3rd party VPN, I would like to. I don't trust my traffic with them, especially not when paying things or logging into my bank or email, but until I got my AX58U, they were the only option when abroad or on public wifis - TOR is just so painfully slow, breaks webpages and is browser-only.

Plus I think it's fun to tinker with this. I know I'm not very good at it, but it's fun knowing that I have "set up" my own VPN at home, and it's working and protecting my traffic while at work/cafe/airport or at a friends house. Not that I have anything particularly interesting to hide.

2) You said you had the same problem with OpenDNS
Actually, that "issue" I learned - after testing a lot and reading up on it - turned out to be by design. The OpenVPN Connect app actually disconnects from the VPN when iPhone screen turns off, and then reconnects again immediately. I felt so silly when I realised it wasn't a bug or anything I had done wrong. I testet OpenVPN Connect on my Mac and it didn't lose its connection at all, several hours, neither did my iPhone as long as the screen was on and unlocked. Only thing I don't like about OpenVPN is the lack of a proper built-in kill switch. I'm not nearly technically skilled enough to construct my own custom kill switch using the terminal and what not. And OpenVPN's own "Seamless Tunnel" and "Level 2 Reachability" seems to be a "best effort" to keep my connection encrypted, but can't guarantee it, if / when the connection drops. Also it seems it falls back to 4G right away when screen is off, allowing iMessages and everything to pop in... so I guess it's a highly ineffective "kill switch".

3) Built-in timer in Instant Guard / IPSec.
Maybe! That makes sense, I guess, but if there is it's kinda inconsistent. Wouldn't an intentional 60 minutes count down timer be consistent and kill the connection the second it reaches 60 minutes? Sometimes the connection dies after 48 minutes, other times it lasts 1 hour and 20 minutes. It seems to hover around 50-70 minutes mostly, averaging 60-ish minutes - give or take - but NEVER precisely 60 minutes, so I'm unsure if it is by design or not.

4) Instant Guard wasn't designed to be an always-on solution to connect to home.
Hmmm... it makes sense what you're writing, but their product page describing Instant Guard doesn't say anything about any time limits or count down timers, or for it to be a "check your bank account safely with a 1 hour window before we disconnect you". In fact that whole page lacks a ton of information about the service, such as encryption level, "forward secrecy" and all the other stuff paid VPN-services boast about etc etc

Anyways, thanks for looking into this with me, and I am looking forward to seeing your interpretations of the entire logfile I posted

 

[ColinTaylor]

3) Built-in timer in Instant Guard / IPSec.
Maybe! That makes sense, I guess, but if there is it's kinda inconsistent. Wouldn't an intentional 60 minutes count down timer be consistent and kill the connection the second it reaches 60 minutes? Sometimes the connection dies after 48 minutes, other times it lasts 1 hour and 20 minutes. It seems to hover around 50-70 minutes mostly, averaging 60-ish minutes - give or take - but NEVER precisely 60 minutes, so I'm unsure if it is by design or not.

In the log file you just posted the connection was established at 17:04:02 and was disconnected exactly 60 minutes later. Still don't know whether that duration was set by the client or the server. I don't have that router so I can't check the config file.

Mar 28 17:04:02 05[NET] received packet: from Y.Y.Y.Y (MY IPHONE ON 4G WITH INSTANT GUARD)[****] to X.X.X.X (MY ASUS ROUTER ACTING AS VPN)[****] (60 bytes)
Mar 28 17:04:02 05[ENC] parsed QUICK_MODE request 1853127509 [ HASH ]
Mar 28 17:04:02 05[IKE] CHILD_SA Host-to-Net{4} established with SPIs c560350b_i 03b3422f_o and TS 0.0.0.0/0 === 10.10.10.1/32

Mar 28 18:04:02 08[KNL] creating delete job for CHILD_SA ESP/0xc560350b/X.X.X.X (MY ASUS ROUTER ACTING AS VPN)
Mar 28 18:04:02 08[IKE] closing expired CHILD_SA Host-to-Net{4} with SPIs c560350b_i 03b3422f_o and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 28 18:04:02 08[IKE] sending DELETE for ESP CHILD_SA with SPI c560350b
Mar 28 18:04:02 08[ENC] generating INFORMATIONAL_V1 request 3158570444 [ HASH D ]
Mar 28 18:04:02 08[NET] sending packet: from X.X.X.X (MY ASUS ROUTER ACTING AS VPN)[****] to Y.Y.Y.Y (MY IPHONE ON 4G WITH INSTANT GUARD)[****] (76 bytes)
Mar 28 18:04:02 05[KNL] creating delete job for CHILD_SA ESP/0x03b3422f/Y.Y.Y.Y (MY IPHONE ON 4G WITH INSTANT GUARD)[****]
Mar 28 18:04:02 05[JOB] CHILD_SA ESP/0x03b3422f/Y.Y.Y.Y (MY IPHONE ON 4G WITH INSTANT GUARD)[****] not found for delete

 

[torstein]

Thanks Colin and Marco! Colin, that is really interesting, I wonder if it may have been a coincidence, because today I ran IG again, and the connection was up for 71 minutes, before it suddenly died. I saved the new log and here it is:

https://pastebin.com/CatCFPS7 71 minutes alive

INTERESTING FINDS AT FIRST GLANCE:

1) REKEY JOBS ARE CREATED AT 43minutes
After 43 minutes my asus router starts creating rekey-jobs for Instant Guard, and then 4 minutes after that rekeying for the router itself. which I understand is an effort to renew the lease before it runs out and keep my conenction alive?

Mar 29 10:58:07 08[KNL] creating rekey job for CHILD_SA ESP/0x09dac318/Y.Y.Y.Y (IPHONE INSTANT GUARD CLIENT ON 4G)\
Mar 29 10:58:07 07[IKE] CHILD_SA Host-to-Net\{2\} established with SPIs c796cf42_i 0d643f0b_o and TS 0.0.0.0/0 === 10.10.10.1/32\
Mar 29 11:02:28 07[KNL] creating rekey job for CHILD_SA ESP/0xceda57cb/X.X.X.X (ASUS ROUTER VPN SERVER)

2) DELETE JOB CREATED AT 60minutes
Then PRECISELY at the 60minutes mark it creates a Delete job, which doesn't run succesfully, for some reason.

Mar 29 11:13:05 07[KNL] creating delete job for CHILD_SA ESP/0xceda57cb/X.X.X.X (ASUS ROUTER VPN SERVER)\
Mar 29 11:13:05 07[IKE] closing expired CHILD_SA Host-to-Net\{1\} with SPIs ceda57cb_i 09dac318_o and TS 0.0.0.0/0 === 10.10.10.1/32\
Mar 29 11:13:05 07[IKE] sending DELETE for ESP CHILD_SA with SPI ceda57cb\
Mar 29 11:13:05 08[KNL] creating delete job for CHILD_SA ESP/0x09dac318/Y.Y.Y.Y (IPHONE INSTANT GUARD CLIENT ON 4G)\
Mar 29 11:13:05 05[JOB] CHILD_SA ESP/0x09dac318/Y.Y.Y.Y (IPHONE INSTANT GUARD CLIENT ON 4G) not found for delete

"Child (...) Not found for delete". Is it a bug that the delete job didn't manage to kill my connection precisely at 60 minutes? It wanted to kill the connection, but couldn't for some reason. Was the reason me who artifically and unintentionally interrupted the Delete Job because frantically was opening webpages on my phone from the 59th minute? (I did that to get the precise moment the connection dies) Maybe it wasnt so smart to unintentionally interrupt the delete job like that.

I'll try one more time now and see if it dies exactly on the 60 minute mark, only this time I wont be unintentionally interrupting anything, I'll just look at the connection status in my router and watch it die out.

3) THE CONNECTION IS FINALLY KILLED AT 71minutes
Finally the connection is killed at 71 minutes, rather unceremoniously. It does what i'ts supposed to to send dpd request, genereate Information request, sending the packet from router to instant guard on my phone, and then boom, DPD check times out, and the connection is killed. Weird, and so random, no?

Mar 29 11:24:24 08[NET] sending packet: from X.X.X.X (ASUS ROUTER VPN SERVER)[4500] to Y.Y.Y.Y (IPHONE INSTANT GUARD CLIENT ON 4G)[22846] (92 bytes)\
Mar 29 11:24:34 06[IKE] sending DPD request\
Mar 29 11:24:34 06[ENC] generating INFORMATIONAL_V1 request 1480663402 [ HASH N(DPD) ]\
Mar 29 11:24:34 06[NET] sending packet: from X.X.X.X (ASUS ROUTER VPN SERVER)[4500] to Y.Y.Y.Y (IPHONE INSTANT GUARD CLIENT ON 4G)[22846] (92 bytes)\
Mar 29 11:24:44 05[JOB] DPD check timed out, enforcing DPD action\
Mar 29 11:24:44 05[CFG] lease 10.10.10.1 by '2B0FD7355F4F4F8CAF52CC440EE471BA' went offline

MORE INTERESTING FINDS

\f0\fs24 \cf0 Mar 29 10:12:28 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.1.52, armv7l)\

1) INSTANT GUARD RUNS STRONGSWANS IPSEC IMPLEMENTATION
Maybe this is a given, and everybody knew this. I guess you knew this since you linked to strongswan... I'm silly haha. I'm not sure if the fact that IG uses Strongswan means anything, but from the link you sent Colin, it says there that Strongswans default TIME ALIVE for Ipsec is 1 hour. So maybe it is by design, and /or maybe Asus "forgot" to remove the 1hour limitation? Or maybe they want it there, like you said to save battery?

2) IKE_SA LIFETIME AND REAUTHENTICATION
This part is interesting, as the log specifies a a scheduled reauthentication of 2h49m (10199s) and a maximum IKE_SA lifetime of 2h59m(10739s)… Does this have something to do with the Delete Job signal that happens after precisely 60 minutes? Is it supposed to last almost 3 hours? Or is this something completely different? You find them on line 74 and 75 in pastebin.

Mar 29 10:13:05 08[IKE] scheduling reauthentication in 10199s
Mar 29 10:13:05 08[IKE] maximum IKE_SA lifetime 10739s

SIDENOTES:
CUSTOMER SUOPPORT
I called ASUS customer support, btw... they didn't know anything, and hadn't even used Instant Guard themselves... they assumed it should work longer than 60 minutes, but she didn't know for sure. Ugh... customer support always frustrates me, they rarely know the answer to anything, do they?

CONFIGURE IPSEC MYSELF?
Is there a way for the user to configure how asuswrt-merlin handles IPSec ie increase the leaste to longer than 60 minutes? or is that entirely up to ASUS developers?

Text in attached photo:
In the photo "Du er besktyttet!" means "You are protected". It's norwegian


**** UPDATE 1.5 hours later********

https://pastebin.com/aLcQTuRj ( 63 MINUTES ALIVE)

Ran another Instant Guard session, and this time it lived for 63 minutes before dying. I didn't touch my phone for the entire session, but watched the connection from the router Instant Guard connection status page.

Again, as per your observation Colin, the Dele Job is created presicely 60 minutes after session start, but the time it takes to kill the session varies a lot, and I don't know on what. Previously it took 11 minutes to kill the connection, and now only 3 minutes.

 

[ColinTaylor]

At this point I'd say that it sounds like this is the indented behaviour. To dig any deeper into it you'd probably have to look at the strongswan configuration files on the router. I don't know where they are but I'd guess they're under /etc.

 

[torstein]

At this point I'd say that it sounds like this is the indented behaviour. To dig any deeper into it you'd probably have to look at the strongswan configuration files on the router. I don't know where they are but I'd guess they're under /etc.

How does one go about and access the router file system? SSH?

 

[ColinTaylor]

Yes, enable local SSH access at Administration > System > Enable SSH

 

[MvW]

Make sure to set SSH Access to LAN Only and preferably use a custom port like 8422.

 

[torstein]

1)
Hmm, so I found strongswan.conf in two places. But the first one is READ-only. and was located in

/tmp/etc/swanctl/strongswan.conf

2)
The second one I could edit, it was located in /etc/strongswan.conf, and I changed the default from 1 to 0 (1 means 1 hour and 0 means no time limit), but I'm guessing it's just for the logging, so wont actually affect my 1hour connection-problem?

/etc/strongswan.conf

charon {
        user = admin
        threads = 8
        send_vendor_id = yes
        interfaces_ignore = br0
        starter { load_warning = no }
        load_modular = yes
        i_dont_care_about_security_and_use_aggressive_mode_psk = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        filelog {
                charon {
                        path = /var/log/strongswan.charon.log
                        time_format = %b %e %T
                        default = 0
                        append = no
                        flush_line = yes
                }
        }
}

Do you guys have any other ideas? Or maybe how can I overwrite the READ-only strongswan.conf? typing sudo -s or root didnt do anything. (I'm on a Mac btw). The IPSec.conf files I found had no options regarding connection time. Did I really just change the way strongswan logs the connection now?