Menu
What's new
By:
Filters Better Search

IKEv2 client on Merlin Firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

O

Odkrys

Senior Member
This is very alpha level.

For HND ARM Routers. RT-AC86U, RT-AX88U

https://drive.google.com/open?id=1wqDcJDUp8p3MRXlOFY8AKkeZR9ecEAMf

Code: 
opkg install /path/ikev2client_alpha-2_aarch64-3.10.ipk

For SDK 7.14 ARM Routers. RT-AC3100, RT-AC88U, RT-AC5300

Download and unzip ipk file after that copy them to proper place.


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

CAPATH is self-signed ca certificate file name.
For example protonvpn.der, NordVPN.pem
This is provided by VPN provider.

https://protonvpn.com/support/linux-ikev2-protonvpn/
https://support.nordvpn.com/Connect...nect-to-NordVPN-with-IKEv2-IPSec-on-Linux.htm

Some providers use certificates signed by a known CA.
Code: 
opkg install ca-certificates
export CAPATH=/opt/etc/ssl/certs


ID and Password are normally your account of VPN service.

This setting is expected to be compatible with most VPN providers.

nano /opt/etc/init.d/S90ikev2
Code: 
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD

Done.
Code: 
/opt/etc/init.d/S90ikev2 start


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

For Policy Based Routing.

You can easily send the packets you want to the VPN using SNAT.

nano /opt/etc/ikev2/ikev2-updown.sh
Code: 
    up-client)
                iptables -t nat -I POSTROUTING -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

Just change them like
Code: 
    up-client)
                iptables -t nat -I POSTROUTING -s 192.168.50.100 -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -s 192.168.50.100 -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

And uncomment this line to ignore dns pushing of server.

nano /opt/etc/init.d/S90ikev2
Code: 
#For Policy Based Routing
#sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf

-> sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf
 
Last edited:
To RT-AC68U, RT-AC87U, RT-AC3200 users.

If you are interested, please install and test entware strongswan.

Code: 
opkg install strongswan strongswan-charon strongswan-ipsec strongswan-mod-eap-identity \
strongswan-mod-eap-mschapv2 strongswan-mod-kernel-netlink strongswan-mod-nonce strongswan-mod-pem \
strongswan-mod-openssl strongswan-mod-pubkey strongswan-mod-resolve strongswan-mod-stroke \
strongswan-mod-socket-default strongswan-mod-socket-dynamic strongswan-mod-updown

sed -i "s|/etc|/opt/etc|g" /opt/etc/init.d/S90ikev2
sed -i "s|/usr/sbin/ipsec|/opt/sbin/ipsec|g" /opt/etc/init.d/S90ikev2
sed -i "s|/opt/opt/|/opt/|g" /opt/etc/init.d/S90ikev2
sed -i "s|include strongswan.d|include /opt/etc/strongswan.d|g" /opt/etc/ikev2/strongswan.conf
sed -i "s|# file =|file =|g"  /opt/etc/strongswan.d/charon/resolve.conf

And follow the guide.
 
Last edited:
Odkrys said:
This is very alpha level.

For HND ARM Routers. RT-AC86U, RT-AX88U

https://drive.google.com/open?id=1YvY8vupBq3xJtWoLYysh-4rlDeyfIS13

Code: 
opkg install /path/ikev2client_alpha-2_aarch64-3.10.ipk

For SDK 7.14 ARM Routers. RT-AC3100, RT-AC88U, RT-AC5300

Download and unzip ipk file after that copy them to proper place.


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

CAPATH is self-signed ca certificate file name.
For example protonvpn.der, NordVPN.pem
This is provided by VPN provider.

https://protonvpn.com/support/linux-ikev2-protonvpn/
https://support.nordvpn.com/Connect...nect-to-NordVPN-with-IKEv2-IPSec-on-Linux.htm

ID and Password are normally your account of VPN service.

This setting is expected to be compatible with most VPN providers.

nano /opt/etc/init.d/S90ikev2
Code: 
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD

Done.
Code: 
/opt/etc/init.d/S90ikev2 start


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

For Policy Based Routing.

You can easily send the packets you want to the VPN using SNAT.

nano /opt/etc/ikev2/ikev2-updown.sh
Code: 
    up-client)
                iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

Just change them like
Code: 
    up-client)
                iptables -t nat -I POSTROUTING -s 192.168.50.100 -o eth0 -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -s 192.168.50.100 -o eth0 -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

And uncomment this line to ignore dns pushing of server.

nano /opt/etc/init.d/S90ikev2
Code: 
#For Policy Based Routing
#sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf

-> sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf
Click to expand...

What path did you use to add to CA PATH for NordVPN?

I tried to use this from the NordVPN link and then another modified one but I keep getting an error:

Code: 
 https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der


Sent from my iPhone using Tapatalk
 
Odkrys said:
Where is wget?

Don't save it at /etc it will disappear when you reboot router.
/jffs or usb drive.
Click to expand...

Yes I used /jffs... but couldn’t tell which link to use to retrieve the the certificate.

When looking at NordVPN’s site, it says to use this first:

Code: 
 sudo wget https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der

And then:

Code: 
 sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

So wasn’t sure which to use.


Sent from my iPhone using Tapatalk
 
Marin said:
Yes I used /jffs... but couldn’t tell which link to use to retrieve the the certificate.

When looking at NordVPN’s site, it says to use this first:

Code: 
 sudo wget https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der

And then:

Code: 
 sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

So wasn’t sure which to use.


Sent from my iPhone using Tapatalk
Click to expand...

And that was about this section. Sorry I wasn’t more specific:

Code: 
 nano /opt/etc/init.d/S90ikev2

Code:
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD


Sent from my iPhone using Tapatalk
 
Marin said:
And that was about this section. Sorry I wasn’t more specific:

Code: 
 nano /opt/etc/init.d/S90ikev2

Code:
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD


Sent from my iPhone using Tapatalk
Click to expand...

no sudo in router..
CA path is place of certificate it is up to user.
 
Last edited:
Odkrys said:
no sudo in router..
CA path is replace of certificate it is up to user.[/QUOTE

Yes, I used this instead and modified it to be saved in /jffs/:
Code: 
wget https://downloads.nordvpn.com/certificates/root.der -O /jffs/NordVPN.der

Is this right?

Also, I wasn'st sure what to make of this from the NordVPN website:

Code: 
 sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

Would you be able to give an example on how you saved this certificate?
Click to expand...
 
How do you go from NordVPN.der to NordVPN.pem?
 
@Odkrys - Are you able to give describe the steps you followed to download a NordVPN RSA certificate?

did you do this first:

Code: 
wget https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der

and if /jffs/ should be used instead of /etc/, what /jffs/ folder would be more appropriate to save this. And how would the command above look like?

and what about this:

Code: 
openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

I am sure this would have to be modified based on /jffs/ folder on the first command. But what about the NordVPN.pem piece? Would this be saved in /jffs/ as well?

Thanks!
 
@Marin I don't know what is your problem.
The reason for changing the place is because the certificate disappears when you reboot.
Whether you use /jffs or /opt is your mind.
The code below is to change the format of the certificate. It doesn't matter if you don't.
der and pem both fine.
 
Managed to setup IKEv2 client with NordVPN by following the steps above.
However, the connection drops after 45 minutes (changes from Connected to Connecting state, then disconnected at 47 minutues).
Nothing was logged when the connection dropped and Strongswan was not stopped after the connection dropped.
 
I tried this setup on my RT-AC88U.
The connection seems correctly established ("connection 'ikev2' established successfully"), but then all of my devices lost the access to internet after that. Only the router itself has access to Internet (I can still use curl or wget for example using ssh) and I can see that my ip address is the one from my vpn provider if I use the following command:
Bash: 
curl ipecho.net/plain; echo

I suspect that maybe something in my iptables prevent my devices to access internet through my ikve2 connection, but I am not very familiar with iptables ...

If anyone has any idea how I can sort this out, it would be much appreciated

Thanks!
 
Odkrys said:
This is very alpha level.

For HND ARM Routers. RT-AC86U, RT-AX88U

https://drive.google.com/open?id=1wqDcJDUp8p3MRXlOFY8AKkeZR9ecEAMf

Code: 
opkg install /path/ikev2client_alpha-2_aarch64-3.10.ipk

For SDK 7.14 ARM Routers. RT-AC3100, RT-AC88U, RT-AC5300

Download and unzip ipk file after that copy them to proper place.


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

CAPATH is self-signed ca certificate file name.
For example protonvpn.der, NordVPN.pem
This is provided by VPN provider.

https://protonvpn.com/support/linux-ikev2-protonvpn/
https://support.nordvpn.com/Connect...nect-to-NordVPN-with-IKEv2-IPSec-on-Linux.htm

Some providers use certificates signed by a known CA.
Code: 
opkg install ca-certificates
export CAPATH=/opt/etc/ssl/certs


ID and Password are normally your account of VPN service.

This setting is expected to be compatible with most VPN providers.

nano /opt/etc/init.d/S90ikev2
Code: 
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD

Done.
Code: 
/opt/etc/init.d/S90ikev2 start


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

For Policy Based Routing.

You can easily send the packets you want to the VPN using SNAT.

nano /opt/etc/ikev2/ikev2-updown.sh
Code: 
    up-client)
                iptables -t nat -I POSTROUTING -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

Just change them like
Code: 
    up-client)
                iptables -t nat -I POSTROUTING -s 192.168.50.100 -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -s 192.168.50.100 -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

And uncomment this line to ignore dns pushing of server.

nano /opt/etc/init.d/S90ikev2
Code: 
#For Policy Based Routing
#sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf

-> sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf
Click to expand...

Hello Odkrys,

Could you please update download link, it is not working?
Also do you have updated version for RT-AX86U 386.3_2 (current merlin firmware)?
I want to use your app with NordVpn IKEv2.

Thank you in advance!
 
You must log in or register to reply here.

Similar threads

F
Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists
Replies
2
Views
1K
Freewill0592
F
F
Tutorial Setup the ASUS TUF Gaming AX5400 router for Transmission with remote access using an SSD for storage
Replies
2
Views
4K
KattinVN
KattinVN
gspannu
Tutorial AdGuard Home - adblocker - Clean install on Asus Merlin (No 3rd party scripts !!!)
4 5 6
Replies
112
Views
44K
TurboTronix
T
arabesc
Tutorial HOWTO use Voxel/Entware/miniupnpd on R7800/R9000 router
Replies
0
Views
3K
arabesc
arabesc
MON@H Rasta
Tutorial Using TOR to unblock sites blocked by ISP on [Fork] Asuswrt-Merlin 374 LTS
Replies
14
Views
4K
Vas99
V
Similar threads
Thread starter Title Forum Replies Date
L Client to client disabled when using static IP on OpenVPN ASUS RT-AC3200 VPN 31
N Mikrotik as OpenVPN client, lan behind mikrotik? VPN 2
K Help with Wireguard Client set up, access local LAN & provider DNS VPN 1
O TV with OpenVPN client VPN 16
tagfoto Pulse Secure Desktop Client Failing VPN 8
S How to start client VPN from the CLI on tomato firmware VPN 0
R How to route/bridge OpenVPN TUN Client to LAN/BR0? VPN 0
F Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists VPN 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 890 (members: 32, guests: 858)
Top