What's new

Has anyone gotten IKEv2/IPSec PSK VPN to work on Android 13 with Asus-Merlin 388.1?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

wavefunction

Occasional Visitor
Hi everyone,

It seems Android stopped supporting IPSec Xauth PSK VPN starting with version 12. However, the latest versions of the Asus-Merlin firmware support IKEv2 IPSec. Unfortunately, I've been unable to get it to work with Android 13.

Has anyone gotten it to work? Are there any special steps that are required beyond what's documented?

I currently have an Asus RT-AX88U with Asus-Merlin firmware 388.1.

Thank you!
 
Which type of IKEv2 are you trying to connect with? I have an RT-AC86U and I believe I'm only able to connect to my router from my Android phone with the IKEv2/IPsec MSCHAPv2 type.

And are you using a custom ROM on your phone or the stock vendor software? I've seen reports of Wireguard breaking on some recent third-party ROMs but not sure if that's related.
 
I'm using IKEv2/IPSec PSK. Here's a screenshot for reference:

Android-IKEv2-IPSec-PSK.jpg


Isn't MSCHAPv2 insecure? If so, I'd rather avoid it if possible.

I'm using the stock vendor software on my Android phone.
 
MSCHAPv2 requires a CA certificate (that you can generate from the router administration) instead of a PSK. That's the main difference, but no idea about secure/insecure.

I seem to recall not being able to get the PSK type to work either, which is why I switched. I'll try again tonight to confirm as it's been several months since I last tried.
 
Actually I just tried it with the PSK type. Unsuccessful connection.

Android 12 running LineageOS.

Edit: I also realized that the PSK type never asks for a user and password to be entered, just the PSK. That may have something to do with it.
 
Last edited:
Thank you for your input. It seems the IKEv2 IPSec support in the latest version of the firmware is buggy. Is there an official way of filing a bug ticket with the development team?
 
There may be a good reason as to why it doesn't work, I'm just not completely sure what it is. Someone with more experience can fill in.

There used to be an issue reporter on this project's GitHub but it was discontinued a while back.
 
I was able to get it to work on iOS by following the below instructions (which I found here):
  1. Download AlwaysAtHome.mobileconfig template.
  2. Open the template in your favorite text editor.
  3. Replace the following fields:
    AAH_USERNAME: VPN Username
    AAH_PASSWORD: VPN Password
    AAH_HOSTNAME: DDNS Hostname (Warning: it appears twice)
    AAH_MYWIFI_1, AAH_MYWIFI_2: SSID of WiFi networks where VPN is disabled. It is mandatory to add the WiFi where this VPN server is running.
  4. Save the changes and email the file to yourself (preferable to an email account that is configured with the iOS Mail app).
  5. Open the Mail app and check the email. Click on the attachment to add the new configuration profile.
  6. Go to the Settings app to accept the new configuration profile.
Now if only I can figure out a way to get it to work on Android 12 or 13.
 
I was able to get it to work on iOS
So you were able to successfully set it up on the router side with 388.1?

I'm asking because for me that keeps failing (so I can't even try on my iOS devices):

 
So you were able to successfully set it up on the router side with 388.1?

I'm asking because for me that keeps failing (so I can't even try on my iOS devices):

That is correct. I didn't do anything special on the router side. However, the default IKEv2 VPN configuration on my iPhone (Settings > VPN > Add VPN Configuration) didn't work for me. I had to use the steps above to get it to work. Notice that the pre-shared key isn't required. (When I tried to add the pre-shared key to the configuration file, it didn't work. The connection immediately terminates.)
 
I have just got this working using an ASUS RT-AC86U running merlin 386.7_2, which is behind my ISP supplied router and thus NATed. The phone is a Samsung galaxy S20 plus, recently updated to android 13. Prior to (and post) the update I was successfully using VPN type "IPSec / Xauth PSK" per the asus doco. When looking at ikev2, I changed the VPN type but found the Xauth option was removed when I went to revert...There's a lesson in that :/

Random notes:
I have no real idea what I'm doing so take it with a grain of salt but it's connecting and has been up for an hour now. It seemed a bit slow initially but performance seems to have improved.

I messed around a lot with the config, some of which may or may not be necessary or secure or recommended.

On the router
-------------
Advanced settings, VPN, VPN Server Tab, IPSec VPN table:
Set a preshared key
Export current certificate "For Mobile" and get it to you android. That panel shows:
Status : Authenticated
Issue to : all.dnsomatic.com <-- That's what I need for DDNS to work for me. Changing DDNS screwed things up.
Issue from : ASUS router Root CA
Expires on : 2029/1/14

Create a username/password pair.

On the android 13
-----------------
Import the certificate to:
Settings, Security and privacy, Other security settings, View security certificates, USER tab (at bottom), Personal.
I don't recall exactly how I got it here but I think it was using files or double tapping on it in email. There were several security warnings that I completely ignored so YMMV.

Set up android VPN profile:
Type: IKEv2/IPSec MSCHAPv2
Server address: FQDN of your router.
IPSec Identifier: same as FQDN of your router. Not sure this is necessary
IPSec CA certificate: you should be able to choose the one you installed above.
IPSec Server certificate: Received from server
Username and password per account set up on router.
and then connect that sucker....

I'd appreciate if someone could try the above and critique where required particularly from the security PoV.
 
I have just got this working using an ASUS RT-AC86U running merlin 386.7_2, which is behind my ISP supplied router and thus NATed. The phone is a Samsung galaxy S20 plus, recently updated to android 13. Prior to (and post) the update I was successfully using VPN type "IPSec / Xauth PSK" per the asus doco. When looking at ikev2, I changed the VPN type but found the Xauth option was removed when I went to revert...There's a lesson in that :/

Random notes:
I have no real idea what I'm doing so take it with a grain of salt but it's connecting and has been up for an hour now. It seemed a bit slow initially but performance seems to have improved.

I messed around a lot with the config, some of which may or may not be necessary or secure or recommended.

On the router
-------------
Advanced settings, VPN, VPN Server Tab, IPSec VPN table:
Set a preshared key
Export current certificate "For Mobile" and get it to you android. That panel shows:
Status : Authenticated
Issue to : all.dnsomatic.com <-- That's what I need for DDNS to work for me. Changing DDNS screwed things up.
Issue from : ASUS router Root CA
Expires on : 2029/1/14

Create a username/password pair.

On the android 13
-----------------
Import the certificate to:
Settings, Security and privacy, Other security settings, View security certificates, USER tab (at bottom), Personal.
I don't recall exactly how I got it here but I think it was using files or double tapping on it in email. There were several security warnings that I completely ignored so YMMV.

Set up android VPN profile:
Type: IKEv2/IPSec MSCHAPv2
Server address: FQDN of your router.
IPSec Identifier: same as FQDN of your router. Not sure this is necessary
IPSec CA certificate: you should be able to choose the one you installed above.
IPSec Server certificate: Received from server
Username and password per account set up on router.
and then connect that sucker....

I'd appreciate if someone could try the above and critique where required particularly from the security PoV.
I know this is quite old post but I wanted to confirm I tried those steps on my RT-AC86U with Merlin 386.14 and OnePlus 9 Pro (Android 14).
It worked great and I find this instruction much clearer the 10 longer official guide from Asus, LOL
I cannot comment regarding security.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top