VPN gurus here...

[goatdog]

Trying to run IPSec VPN Server and it works...
but the problem I am having is that it seems to time out after about 20 minus , sometimes... I have to re-establish it again... Where do I look for logs in these things...

RT-AC5300 Lastest Merlin build 384.6 I think.

 

[wgetmerlin]

Left panel. second to last option. System log.

 

[goatdog]

yea nothing much there, was trying to find out the application specific logs for this. some private IP are masked but this example about 10 minutes idle...

Sep 26 07:52:43 vpn: + 192.168.100.108 10.10.10.1/32 == 192.168.111.108 -- 1.1.1.1 == 0.0.0.0/0
Sep 26 08:07:13 vpn: - 192.168.100.108 10.10.10.1/32 == 192.168.111.108 -- 1.1.1.1 == 0.0.0.0/0

 

[M@rco]

You can increase log verbosity in VPN > VPN Server > VPN Details > Advanced Settings > Log verbosity. You will probably need to restart the VPN server for it to take effect.

 

[goatdog]

You can increase log verbosity in VPN > VPN Server > VPN Details > Advanced Settings > Log verbosity. You will probably need to restart the VPN server for it to take effect.

I don't think that options exist for ipsec vpn under the GUI., only for Open VPN... Is there a difference ? Ipsec vpn seems to be the only one supporting other devices other than windows I mean.........

 

[goatdog]

All I could find out is that the version, but nothing on time outs other than the DPD (dead Peer detection) timeout but still it disconnects even if I set it to disable... nothing else on increasing the log levels to see what's going on. Any hint/help how these things are configured?


https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand

admin@x88x:/tmp/etc# ipsec version
Linux strongSwan U5.2.1/K2.6.36.4brcmarm
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland

 

[bitmonster]

Do many change the default VPN port to something high and obscure? I ran a few free online port scans and nothing showed up. I guess the router is smart enough to not respond to port scans even on the VPN port.

 

[goatdog]

HUH? you lost me? lsof or netstat would have shown you what port it runs on... but that wasn't my question or problem.... Mine is after the vpn tunnel established, it disconnects at random times... and wanted to find out if there are log level I can increase or open to look at the cause. I don't think you can change port on this at least I don't see it in the gui... maybe can be done in the configs.

as far as what port... these are generic to unix I think... netstat for NT you have to run as admin and would be able to get the same thing for processes...

lsof is one of the entware packages...

lsof -i | grep charon
charon 465 admin 10u IPv6 2139 0t0 UDP *:500
charon 465 admin 11u IPv6 2140 0t0 UDP *:4500
charon 465 admin 12u IPv4 2141 0t0 UDP *:500
charon 465 admin 13u IPv4 2142 0t0 UDP *:4500

admin@x88x:/tmp/home/root# netstat -tunlp | grep -i charon
udp 0 0 0.0.0.0:4500 0.0.0.0:* 445/charon
udp 0 0 0.0.0.0:500 0.0.0.0:* 445/charon
udp 0 0 :::4500 :::* 445/charon
udp 0 0 :::500 :::* 445/charon

 

[bitmonster]

I mean for security reasons, sorry I saw the VPN thread and thought it was an existing generic VPN thread, and was trying to reuse existing threads.

There are some recommendations that the VPN port be obscured for security.

Sent from my SM-G965F using Tapatalk

 

[goatdog]

yea the title of this is obscured don't know what I was smoking at the time

 

[bitmonster]

No worries, I was advised (respectfully) as a newbie to use the search before posting a new thread.. So I am still learning :-O

 

[goatdog]

lol searched, maybe my googlefu was not as strong as others here... so far I haven't find anything

 

[Sh0cker54]

I use also IPSEC server IKEv2 and IKE. The server disconnects after 2 hours.
Anyway if you want you can try IKEv2 server, follow this thread
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/#post-436400

 

[bitmonster]

Why not just use OpenVPN

 

[Sh0cker54]

Why not just use OpenVPN

Because there are IOS MacOS and Windows IKEv2 + IKE native clients (strongswan for Android) ,
IPSEC IKEv2 or IKE is 4x time faster and with less latency than openvpn on my RT-AC86U.
IKEv2 with Let's encrypt certificates is easier to deploy to clients, you only need login and password for IKEv2, the certificates are managed with Let's encrypt.
With IPSEC IKEv2 you can't have DNS leak.

 

[bitmonster]

Oh.... I thought IKE was a proprietary extremely difficult to set up thing.. Was it hard?
Yes DNS leak is a concern for me.

I do like how OpenVPN seems to automatically log in to the local city free WiFi though. Perhaps they don't block custom high ports. Pretty awesome.

 

[Sh0cker54]

Oh.... I thought IKE was a proprietary extremely difficult to set up thing.. Was it hard?
Yes DNS leak is a concern for me.

I do like how OpenVPN seems to automatically log in to the local city free WiFi though. Perhaps they don't block custom high ports. Pretty awesome.

Easy-peasy to setup thanks to Odkrys

 

[goatdog]

I use also IPSEC server IKEv2 and IKE. The server disconnects after 2 hours.
Anyway if you want you can try IKEv2 server, follow this thread
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/#post-436400

Ok thanks for the tips... seems like you can increase the log level ... with this blob entry on that link you provided.. but that IKEV2 script doesn't seems to affect the setting of the ikev1 stuff... hmmm still have to learn. anyone have a good guide... setting up these things ?

ipsec stroke loglevel cfg 2

https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration