IPSEC and IOS

[rbdan]

Hey guys,

I tried to simply turned on the IPSEC server, add a Pre-shared Key, user name and password. Then I configured my IOS devices with the same info and it fails with “negotiation with the vpn server failed”.

I can watch the client on the server “Connecting...” but it never connects.

Any ideas?

Thanks!
Dan

 

[arthurlien]

https://www.asus.com/us/support/FAQ/1033576/

Could you try it?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[rbdan]

https://www.asus.com/us/support/FAQ/1033576/

Could you try it?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

Yep, that is the step by step guide I used. It’s pretty straight forward.

Isn’t OpenVPN a better solution than IPSEC?

Thanks for the reply!
Dan

 

[RMerlin]

Isn’t OpenVPN a better solution than IPSEC?

OpenVPN is more flexible, but IPSEC is usually faster, and often doesn't require any third party client software.

 

[arthurlien]

Please double check your password first. The function is working on our lab.

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[RMerlin]

Also, make sure the preshared key isn't too long. Asus recently fixed a bug with preshared keys that were too long.

- Fixed IPSec connection problem when PSK/Account/Password over 32 characters.

 

[rbdan]

Also, make sure the preshared key isn't too long. Asus recently fixed a bug with preshared keys that were too long.

Hey Merlin,

Thanks for the reply. In testing, I am only using 9 characters.

Stupid question: Are special characters okay?

Can anyone think of anything I am missing? The setup is so simple, I can’t think of why it wouldn’t work.

Is anyone else using the IPSec server with IOS devices?

Thanks again,
Dan

 

[arthurlien]

Hey Merlin,

Thanks for the reply. In testing, I am only using 9 characters.

Stupid question: Are special characters okay?

Can anyone think of anything I am missing? The setup is so simple, I can’t think of why it wouldn’t work.

Is anyone else using the IPSec server with IOS devices?

Thanks again,
Dan

We tested with iPhone.

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[RMerlin]

Hey Merlin,

Thanks for the reply. In testing, I am only using 9 characters.

Stupid question: Are special characters okay?

Can anyone think of anything I am missing? The setup is so simple, I can’t think of why it wouldn’t work.

Is anyone else using the IPSec server with IOS devices?

Thanks again,
Dan

Unsure about special characters, but generally asuswrt is very fragile to these, best to avoid using them when in doubt.

Sent from my P027 using Tapatalk

 

[XIII]

Is this only available in stock firmware or certain models?

(I only see PPTP and OpenVPN in Asuswrt-Merlin 384.4 Beta 3 on my RT-AC86U)

 

[RMerlin]

Is this only available in stock firmware or certain models?

(I only see PPTP and OpenVPN in Asuswrt-Merlin 384.4 Beta 3 on my RT-AC86U)

Only on certain models. It's still a work-in-progress by Asus, and I can't enable it on all models due to kernel conflicts it causes for some platforms.

 

[sfx2000]

Stupid question: Are special characters okay?

If you're asking, you likely are

Keep it simple - A-Z, a-z, 0-9

 

[Odkrys]

Is this only available in stock firmware or certain models?

(I only see PPTP and OpenVPN in Asuswrt-Merlin 384.4 Beta 3 on my RT-AC86U)

I tested IPSec on my RT-AC86U with android phone.
It was little strange, IPSec didn't work when used only stock firmware build option or only Merlin firmware option.
It worked when it built using stock firmware openssl hostconfig option (no-engine -Os) + Merlin firmware makefile. (-disable-static)
I don't know how it works on GT-AC5300 with static build.
Anyway, so Tor can't be used with IPSec.

IPSec speed was similar with Openvpn (150mbps~200mbps). not much difference.
But there is certain advantage, yeah it's built-in

 

[XIII]

Only on certain models.

Apparently not on the 86U and 68U I have access to (still need to flash an AC56U).

Which models do support it currently?

 

[RMerlin]

BRT-AC828, RT-AC88U, RT-AC3100 and RT-AC5300.

Asus plans to add other models in the future. No definitive list yet.

 

[XIII]

Thanks.

I have access to three different models, but none of these... I'll have to wait a bit to play with this.

 

[RMerlin]

Thanks.

I have access to three different models, but none of these... I'll have to wait a bit to play with this.

The RT-AC86U is highly likely to get it (I've done a few experiments myself on that front, will possibly have to remote Tor from that model due to conflicting settings).

I would expect the RT-AC68U to eventually get it, but it will have to come from Asus since the kernel-level changes required are incompatible with the current precompiled kernel modules. No idea what their plans are for that model.

 

[RMerlin]

I think there's a bug in the firmware code, the config files are not generated when you enable IPSEC - you must reboot for the config files to get copied from /usr/etc/* to /etc/ .


@arthurlien : start_services() should probably call rc_ipsec_config_init() regardless of whether ipsec is enabled or not, otherwise the config files will be missing if the end user enables IPSEC without rebooting, and charon will fail to start. Nevermind, seems like it's already fixed in newer GPL code. I thought it was why the OP couldn't get IPSEC to work.

 

[Odkrys]

I think there's a bug in the firmware code, the config files are not generated when you enable IPSEC - you must reboot for the config files to get copied from /usr/etc/* to /etc/ .

@arthurlien : start_services() should probably call rc_ipsec_config_init() regardless of whether ipsec is enabled or not, otherwise the config files will be missing if the end user enables IPSEC without rebooting, and charon will fail to start.

I think he already noticed it. gt-ac5300 code.

#if defined(RTCONFIG_IPSEC)
	//if(nvram_get_int("ipsec_server_enable") || nvram_get_int("ipsec_client_enable"))
	rc_ipsec_nvram_convert_check();

	rc_ipsec_config_init();

One more bug. If I turn on ipsec, system log appear twice in browser.
Without ipsec, it was normal.

 

[RMerlin]

I think he already noticed it. gt-ac5300 code.

Which GPL version are you checking? That code didn't seem to be commented out in 384_20379 (the latest I've got).