Menu
What's new
By:
Filters Better Search

iOS vpn to asuswrt

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

F

firebladeRR1k

Occasional Visitor
I have used openwrt for vpn in the past. With this implementation, only tun style (layer 3) connections were available. This put your connected iPhone on a different subnet than the rest of your network. A tap based connection would have put the device on the same subnet as your home lan. Is there a way using IPSec to create a connection that will put the iPhone on the same subnet as the rest of your home lan?
 
Basically, want to be able to vpn into the network and be on the same subnet as the rest of the devices in the home. Is this possible?
 
firebladeRR1k said:
Basically, want to be able to vpn into the network and be on the same subnet as the rest of the devices in the home. Is this possible?
Click to expand...

Not easily if you intend to use an Apple device. No TAP support AFAIK.
 
No, I use the same IPSEC implementation as on stock firmware, which offers only very limited config settings.
 
[IPSec with iOS] Have any functional limitation or issue in current stock firmware design ?
 
Would like to be able to configure it to have the iPhone vpn into the network and be on the same subnet as the rest of the home network if possible. I don’t personally know what configurations that would take though.
 
firebladeRR1k said:
Would like to be able to configure it to have the iPhone vpn into the network and be on the same subnet as the rest of the home network if possible. I don’t personally know what configurations that would take though.
Click to expand...

So, the IPSec functional are working normal with iPhone vpn, am i correct? What kind of application you are using and the application shall be used with same subnet ?
 
I have not tried IPSec. I have only used OpenVPN and that did not put the iPhone on the same subnet as the rest of the House.
 
firebladeRR1k said:
If on the same subnet connections between devices on the lan are easier
Click to expand...
I really do not have issues connecting iOS or Android devices to my home LAN using OpenVPN on Asus. Does give the device a 10.0.0.x ip address but it works.

Sent from my P01M using Tapatalk
 
@arthurlien
I think you guys really can make ikev2 in gui level with strongswan + letsencrypt for windows and blackberry users (+ios, android too :D)
I tested ikev2 with my android and window 10 laptop successfully.

First, I copied my letsencrypt certs to strongswan cacerts folder.
Code: 
cp /jffs/.le/myddns/* /tmp/etc/ipsec.d/cacerts
and changed ipsec.conf like this.
Code: 
conn Host-to-Net
  keyexchange=ikev2
  left=myip
  leftid=@myddns
  #receive web value#left=
  leftsubnet=0.0.0.0/0
  leftfirewall=yes
  #interface=wan
  leftauth=pubkey
  leftcert=/tmp/etc/ipsec.d/cacerts/fullchain.pem
  right=%any
  rightauth=eap-mschapv2
  eap_identity=%any
#sourceip_en=1
  rightsourceip=10.10.10.0/24
  rightdns=192.168.50.1
  dpdtimeout=30s
  dpdaction=clear
  dpddelay=10s
  auto=add
ipsec.secrets
Code: 
#/etc/ipsec.secrets

: RSA /tmp/etc/ipsec.d/cacerts/domain.key  (I added)

 %any : PSK Password (This comes from asus ikev1)

#ipsec_client_list_1

Username : XAUTH password (This comes from asus ikev1)
Username : EAP "password" (I added)

And it works well.
Code: 
@RT-AC86U-3F10:/tmp/etc/ipsec.d/cacerts# ipsec statusall
Status of IKE charon daemon (weakSwan 5.2.1, Linux 4.1.27, aarch64):
  uptime: 10 minutes, since Mar 01 22:37:05 2018
  malloc: sbrk 1462272, mmap 0, used 350448, free 1111824
  worker threads: 3 of 8 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf agent xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/1/0
Listening IP addresses:
  MYIP
  192.168.50.1
  10.8.0.1
  10.12.0.2
Connections:
 Host-to-Net:  MYIP...%any  IKEv2, dpddelay=10s
 Host-to-Net:   local:  [myddns] uses public key authentication
 Host-to-Net:    cert:  "CN=myddns"
 Host-to-Net:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
 Host-to-Net:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
 Host-to-Net[2]: ESTABLISHED 10 minutes ago, myip[myddns]...clientip[Username]
 Host-to-Net[2]: IKEv2 SPIs: c81154507baf1ce9_i f45d166df723899b_r*, public key reauthentication in 2 hours
 Host-to-Net[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 Host-to-Net{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cf59bd28_i 7dcc77df_o
 Host-to-Net{1}:  AES_CBC_128/HMAC_SHA1_96, 28637 bytes_i (313 pkts, 144s ago), 48894 bytes_o (298 pkts, 144s ago), rekeying in 32 minutes
 Host-to-Net{1}:   0.0.0.0/0 === 10.10.10.1/32
 
Last edited:
firebladeRR1k said:
Basically, want to be able to vpn into the network and be on the same subnet as the rest of the devices in the home. Is this possible?
Click to expand...

Back to original question, it is possible.
But strongswan need recompile with --enable-dhcp.
I got 192.168.50.x ip from dhcp server and it was showed up in dhcp lease page.

/tmp/etc/ipsec.conf
Code: 
rightsourceip=%dhcp
/tmp/etc/strongswan.d/charon/dhcp.conf
Code: 
dhcp {
    force_server_address = yes
    load = yes
    server = 192.168.50.255
}
 
When you say it needs to be recompiled; do the lines of code you provide above accomplish that or is it an additional step. Or is that something ASUS would have to do. Sorry for my ignorance.
 
You must log in or register to reply here.

Similar threads

C
Does Asus' IPsec implementation allow LAN access?
Replies
7
Views
627
aex.perez
aex.perez
Q
VPN Fusion and firewall/port forwarding
Replies
0
Views
226
qpeg
Q
M
OpenVPN clients cannot connect to LAN computers.
Replies
0
Views
189
MNBob
M
J
Could a router be hacked from WAN end if firmware always up to date, no portwarding, no upnp and wifi disabled.
Replies
5
Views
966
coxhaus
C
R
ASUS RT-AX86U Double Hop VPN?
Replies
2
Views
238
Rickety Jim
R
Similar threads
Thread starter Title Forum Replies Date
K ASUS iOS app not finding router AX89U Pro 3.0.0.6.102_21514 ASUSWRT - Official 5
Q VPN Fusion and firewall/port forwarding ASUSWRT - Official 0
H Suggestion: Reboot on schedule (task) and VPN autoconnect ASUSWRT - Official 7
L Wireguard VPN Server does not work with DMZ enabled ASUSWRT - Official 1
F VPN conflict / bug ASUSWRT - Official 1
J Update Username/Password in ASUS Router App After changing these remotely by VPN ASUSWRT - Official 3
N Connect to a L2TP VPN with pre-shared key ASUSWRT - Official 0
TheLyppardMan VPN [Con]Fusion ASUSWRT - Official 1
G VPN Fusion issue - all devices routed through VPN despite selection ASUSWRT - Official 1
S PPTP VPN issue, not working ASUSWRT - Official 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 678 (members: 33, guests: 645)
Top