Menu
What's new
By:
Filters Better Search

Has anyone gotten IKEv2/IPSec PSK VPN to work on Android 13 with Asus-Merlin 388.1?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

wavefunction

wavefunction

Occasional Visitor
Hi everyone,

It seems Android stopped supporting IPSec Xauth PSK VPN starting with version 12. However, the latest versions of the Asus-Merlin firmware support IKEv2 IPSec. Unfortunately, I've been unable to get it to work with Android 13.

Has anyone gotten it to work? Are there any special steps that are required beyond what's documented?

I currently have an Asus RT-AX88U with Asus-Merlin firmware 388.1.

Thank you!
 
Which type of IKEv2 are you trying to connect with? I have an RT-AC86U and I believe I'm only able to connect to my router from my Android phone with the IKEv2/IPsec MSCHAPv2 type.

And are you using a custom ROM on your phone or the stock vendor software? I've seen reports of Wireguard breaking on some recent third-party ROMs but not sure if that's related.
 
I'm using IKEv2/IPSec PSK. Here's a screenshot for reference:

Android-IKEv2-IPSec-PSK.jpg


Isn't MSCHAPv2 insecure? If so, I'd rather avoid it if possible.

I'm using the stock vendor software on my Android phone.
 
MSCHAPv2 requires a CA certificate (that you can generate from the router administration) instead of a PSK. That's the main difference, but no idea about secure/insecure.

I seem to recall not being able to get the PSK type to work either, which is why I switched. I'll try again tonight to confirm as it's been several months since I last tried.
 
Actually I just tried it with the PSK type. Unsuccessful connection.

Android 12 running LineageOS.

Edit: I also realized that the PSK type never asks for a user and password to be entered, just the PSK. That may have something to do with it.
 
Last edited:
Thank you for your input. It seems the IKEv2 IPSec support in the latest version of the firmware is buggy. Is there an official way of filing a bug ticket with the development team?
 
There may be a good reason as to why it doesn't work, I'm just not completely sure what it is. Someone with more experience can fill in.

There used to be an issue reporter on this project's GitHub but it was discontinued a while back.
 
I was able to get it to work on iOS by following the below instructions (which I found here):
  1. Download AlwaysAtHome.mobileconfig template.
  2. Open the template in your favorite text editor.
  3. Replace the following fields:
    AAH_USERNAME: VPN Username
    AAH_PASSWORD: VPN Password
    AAH_HOSTNAME: DDNS Hostname (Warning: it appears twice)
    AAH_MYWIFI_1, AAH_MYWIFI_2: SSID of WiFi networks where VPN is disabled. It is mandatory to add the WiFi where this VPN server is running.
  4. Save the changes and email the file to yourself (preferable to an email account that is configured with the iOS Mail app).
  5. Open the Mail app and check the email. Click on the attachment to add the new configuration profile.
  6. Go to the Settings app to accept the new configuration profile.
Now if only I can figure out a way to get it to work on Android 12 or 13.
 
wavefunction said:
I was able to get it to work on iOS
Click to expand...
So you were able to successfully set it up on the router side with 388.1?

I'm asking because for me that keeps failing (so I can't even try on my iOS devices):

www.snbforums.com

388.1: Cannot set up IPSec VPN on GT-AX6000 (with settings from 386.7_2 on RT-AC86U)

Recently I purchased a GT-AX6000 to replace my RT-AC86U, so that I can run the new 388 firmware. I managed to manually replicate my old 386.7_2 setup from scratch in 388.1, except for IPSec VPN which keeps failing: Dec 20 22:07:32 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, Linux...
www.snbforums.com www.snbforums.com
 
XIII said:
So you were able to successfully set it up on the router side with 388.1?

I'm asking because for me that keeps failing (so I can't even try on my iOS devices):

www.snbforums.com

388.1: Cannot set up IPSec VPN on GT-AX6000 (with settings from 386.7_2 on RT-AC86U)

Recently I purchased a GT-AX6000 to replace my RT-AC86U, so that I can run the new 388 firmware. I managed to manually replicate my old 386.7_2 setup from scratch in 388.1, except for IPSec VPN which keeps failing: Dec 20 22:07:32 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, Linux...
www.snbforums.com www.snbforums.com
Click to expand...
That is correct. I didn't do anything special on the router side. However, the default IKEv2 VPN configuration on my iPhone (Settings > VPN > Add VPN Configuration) didn't work for me. I had to use the steps above to get it to work. Notice that the pre-shared key isn't required. (When I tried to add the pre-shared key to the configuration file, it didn't work. The connection immediately terminates.)
 
I have just got this working using an ASUS RT-AC86U running merlin 386.7_2, which is behind my ISP supplied router and thus NATed. The phone is a Samsung galaxy S20 plus, recently updated to android 13. Prior to (and post) the update I was successfully using VPN type "IPSec / Xauth PSK" per the asus doco. When looking at ikev2, I changed the VPN type but found the Xauth option was removed when I went to revert...There's a lesson in that :/

Random notes:
I have no real idea what I'm doing so take it with a grain of salt but it's connecting and has been up for an hour now. It seemed a bit slow initially but performance seems to have improved.

I messed around a lot with the config, some of which may or may not be necessary or secure or recommended.

On the router
-------------
Advanced settings, VPN, VPN Server Tab, IPSec VPN table:
Set a preshared key
Export current certificate "For Mobile" and get it to you android. That panel shows:
Status : Authenticated
Issue to : all.dnsomatic.com <-- That's what I need for DDNS to work for me. Changing DDNS screwed things up.
Issue from : ASUS router Root CA
Expires on : 2029/1/14

Create a username/password pair.

On the android 13
-----------------
Import the certificate to:
Settings, Security and privacy, Other security settings, View security certificates, USER tab (at bottom), Personal.
I don't recall exactly how I got it here but I think it was using files or double tapping on it in email. There were several security warnings that I completely ignored so YMMV.

Set up android VPN profile:
Type: IKEv2/IPSec MSCHAPv2
Server address: FQDN of your router.
IPSec Identifier: same as FQDN of your router. Not sure this is necessary
IPSec CA certificate: you should be able to choose the one you installed above.
IPSec Server certificate: Received from server
Username and password per account set up on router.
and then connect that sucker....

I'd appreciate if someone could try the above and critique where required particularly from the security PoV.
 
pjama said:
I have just got this working using an ASUS RT-AC86U running merlin 386.7_2, which is behind my ISP supplied router and thus NATed. The phone is a Samsung galaxy S20 plus, recently updated to android 13. Prior to (and post) the update I was successfully using VPN type "IPSec / Xauth PSK" per the asus doco. When looking at ikev2, I changed the VPN type but found the Xauth option was removed when I went to revert...There's a lesson in that :/

Random notes:
I have no real idea what I'm doing so take it with a grain of salt but it's connecting and has been up for an hour now. It seemed a bit slow initially but performance seems to have improved.

I messed around a lot with the config, some of which may or may not be necessary or secure or recommended.

On the router
-------------
Advanced settings, VPN, VPN Server Tab, IPSec VPN table:
Set a preshared key
Export current certificate "For Mobile" and get it to you android. That panel shows:
Status : Authenticated
Issue to : all.dnsomatic.com <-- That's what I need for DDNS to work for me. Changing DDNS screwed things up.
Issue from : ASUS router Root CA
Expires on : 2029/1/14

Create a username/password pair.

On the android 13
-----------------
Import the certificate to:
Settings, Security and privacy, Other security settings, View security certificates, USER tab (at bottom), Personal.
I don't recall exactly how I got it here but I think it was using files or double tapping on it in email. There were several security warnings that I completely ignored so YMMV.

Set up android VPN profile:
Type: IKEv2/IPSec MSCHAPv2
Server address: FQDN of your router.
IPSec Identifier: same as FQDN of your router. Not sure this is necessary
IPSec CA certificate: you should be able to choose the one you installed above.
IPSec Server certificate: Received from server
Username and password per account set up on router.
and then connect that sucker....

I'd appreciate if someone could try the above and critique where required particularly from the security PoV.
Click to expand...
I know this is quite old post but I wanted to confirm I tried those steps on my RT-AC86U with Merlin 386.14 and OnePlus 9 Pro (Android 14).
It worked great and I find this instruction much clearer the 10 longer official guide from Asus, LOL
I cannot comment regarding security.
 
You must log in or register to reply here.

Similar threads

G
Can't connect to IpSec VPN from Android 14
Replies
12
Views
4K
glsmith86
G
L
IPSec VPN Server with VNC connection causes ASUS RT-AC3100 to Reboot
Replies
0
Views
616
lporchas
L
S
IPSec VPN on AsusWRT-Merlin
Replies
5
Views
5K
papypaprika
P
Tyrfing
Asus RT-AX88U Stuck on Merlin Firmware 388.1
Replies
9
Views
1K
Tyrfing
Tyrfing
F
Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists
Replies
2
Views
1K
Freewill0592
F
Similar threads
Thread starter Title Forum Replies Date
D Has Anyone managed to compile r8152.ko driver for the RT-AX86U Pro, help really appreciated Asuswrt-Merlin 9
C "Disassociated because sending station is leaving (or has left)" - Roaming issue? Asuswrt-Merlin 3
G New Install on GT-BE98 Pro Has Empty Advanced_Wireless_Content.asp page Asuswrt-Merlin 0
Chuckles67 Fixed: Reminder: The system time has not been synchronized with an NTP server. Asuswrt-Merlin 0
D RT-AX88U - WiFi 2.4 GHz client has degraded internet connection speed when the router has connected to the internet via 4G modem Asuswrt-Merlin 3
L "Maximum number of concurrent DNS queries" with strange lb._dns-sd._udp. ... .in-addr.arpa reverse DNS queries (has Pi running Adguard Home + Unbound) Asuswrt-Merlin 2
J Help - duckdns has started returning an IPv6 IP address Asuswrt-Merlin 1
D Entware Can we check how much life a USB flashdrive has left? Asuswrt-Merlin 4
L Does the latest AsusWRT/Merlin FW has a memory leak? Asuswrt-Merlin 20
R My whole network has been randomly freezing up and when it does the log sayes this: Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 791 (members: 16, guests: 775)
Top