Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists

[Freewill0592]

Hello.
After long time I have finally made work IPsec Site to site VPN between my Debian server with public IP and Sophos firewall.
Now I am trying to do same between my server and Asus RT-AC88U what has installed AsusWRT merlin on it.
Not sure if I can post here or should post in the WRT section of the forum?

I have established the VPN tunnel sucesfully but I Cannot ping anything on other side.when I check routes, none are added.
And the script what works for Sophos<>Debian connection is not creating the VTI interface for this tunnel neither on Debian server.
The script does not seem to work on Asus WRT, even when I replaced those PLUTO variables with correct values.
It is complaining that it does not know what is" add tunnel "ip_vti0" failed: No such device" I assume the Asus WRT does not have VTI package?
This I get when I try to add the VTI interface...

Freewill@asus:/jffs/scripts# ip link add vti1 type vti
RTNETLINK answers: Operation not supported

Freewill@asus:/jffs/scripts# ip tunnel add vti0 mode vti
add tunnel "ip_vti0" failed: No such device
Freewill@asus:/jffs/scripts# ip tunnel add vti0 mode vti 172.29.29.5 172.29.29.6
Error: either "name" is duplicate, or "172.29.29.5" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add vti1 mode vti 172.29.29.5 172.29.29.6
Error: either "name" is duplicate, or "172.29.29.5" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add vti1 mode vti "172.29.29.5" "172.29.29.6"
Error: either "name" is duplicate, or "172.29.29.5" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add name vti1 mode vti "172.29.29.5" "172.29.29.6"
Error: either "name" is duplicate, or "172.29.29.5" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add name vti1 type vti 172.29.29.5 172.29.29.6
Error: either "name" is duplicate, or "type" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add name vti1 type vti key 43 172.29.29.5 172.29.29.6
Error: either "name" is duplicate, or "type" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add name vti1 type vti key 43 remote 172.29.29.5 local 172.29.29.6
Error: either "name" is duplicate, or "type" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add vti1 type vti key 43 remote 172.29.29.5 local 172.29.29.6
Error: either "name" is duplicate, or "type" is a garbage.

Or how I can set up routing using just the Ipsec.conf what appears to work just fine?

# This is config on Debian Server:
# /etc/ipsec.conf
config setup
    charondebug="ike 0, knl 0, cfg 0, net 0, esp 0, dmn 0,  mgr 0"
conn AsusToUKsrv
  authby=psk
  leftupdown=/usr/local/sbin/ipsec-notify_asus.sh
  keyexchange=ikev2
  #type=tunnel - does not seem to work with or without this
  left=<MY PUBLIC IP ON SERVER>
  leftsubnet=10.98.195.0/24
  leftid="10.98.195.1"
  right=%any
  rightsubnet=10.99.195.0/24
  rightid="10.99.195.254"
  rightcert=never
  mark_in=43
  mark_out=43
  ike=aes256-sha256-modp2048
  dpdtimeout=30s
  dpdaction=clear
  dpddelay=10s
  auto=start
# -----------------------------------------
# /usr/local/sbin/ipsec-notify_asus.sh
#!/bin/bash

set -o nounset
set -o errexit

#VTI_IF="vti${PLUTO_UNIQUEID}"
VTI_IF="vti5"
case "${PLUTO_VERB}" in
    up-client)
        ip tunnel add "${VTI_IF}" mode vti \
                        local "${PLUTO_ME}" remote "${PLUTO_PEER}" \
            okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
        ip link set "${VTI_IF}" up
        # Here goes virtual IP  for the interface, other ip will need to be on other side f.e. Sophos tunnel
        ip addr add 172.29.29.5/30 dev "${VTI_IF}"
        # Here add route or routes to other network
        ip route add 10.99.195.0/24 dev "${VTI_IF}"
        sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
        sysctl -w "net.ipv4.conf.${VTI_IF}.rp_filter=0"
        sysctl -w "net.ipv4.conf.all.rp_filter=0"
        ;;
    down-client)
        ip tunnel del "${VTI_IF}"
        # This will delete the higher added route
        ip route del 10.99.195.0/24 dev "${VTI_IF}"
        ;;
esac

And This is on the Asus Router as script what will replace the ipsec.conf file when router starts.

# /etc/ipsec.conf - on Asus router
config setup
    charondebug="ike 0, knl 0, cfg 0, net 0, esp 0, dmn 0,  mgr 0"
conn AsusToUKsrv
  authby=psk
  leftupdown=/opt/ipsec-notify_asus.sh
  keyexchange=ikev2
  #type=tunnel - does not seem to work with or without this
  right=77.68.115.227
  rightsubnet=10.98.195.0/24
  rightid="10.98.195.1"
  left=%defaultroute
  leftsubnet=10.99.195.0/24
  leftid="10.99.195.254"
  leftcert=never
  mark_in=43
  mark_out=43
  ike=aes256-sha256-modp2048
  dpdtimeout=30s
  dpdaction=clear
  dpddelay=10s
  auto=start

# Script for adding interface when tunnel is created: /opt/ipsec-notify_asus.sh
#!/bin/bash
# it does not want to add this tunnel when i just run the script
ip tunnel add vti5" mode vti local 172.29.29.6 remote 172.29.29.5 okey 43 ikey 43
ip link set vti5 up
ip addr add 172.29.29.6/30 dev vti5
ip route add 10.99.195.0/24 dev vti5
# do not remember the path to the file so i used ...
echo 1 > /proc/..../net.ipv4.conf.vti5.disable_policy
echo 0 > /proc/..../net.ipv4.conf.vti5.rp_filter
echo 0 >/proc/..../net.ipv4.conf.all.rp_filter

Also on both of the endpoints, server and router I have added to /etc/strongswan.d/charon.conf
install_routes = no
install_virtual_ip = no

as it did not add any routes anyway, before it used the default "yes".

This is output when it connects:

initiating IKE_SA asusuk[7] to SERVERIP
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
sending packet: from 192.168.1.115[500] to SERVERIP[500] (1228 bytes)
received packet: from SERVERIP[500] to 192.168.1.115[500] (472 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
sending cert request for "C=TW, O=ASUS, CN=ASUS asus Root CA"
authentication of '10.99.195.254' (myself) with pre-shared key
establishing CHILD_SA asusuk{8}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.115[4500] to SERVERIP[4500] (416 bytes)
received packet: from SERVERIP[4500] to 192.168.1.115[4500] (304 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of '10.98.195.1' with pre-shared key successful
received AUTH_LIFETIME of 10166s, scheduling reauthentication in 9626s
peer supports MOBIKE
IKE_SA asusuk[7] established between 192.168.1.115[10.99.195.254]...SERVERIP[10.98.195.1]
reauthentication already scheduled in 9626s
maximum IKE_SA lifetime 10166s
selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA asusuk{8} established with SPIs c6133650_i cdf4775e_o and TS 10.99.195.0/24 === 10.98.195.0/24
connection 'asusuk' established successfully

I want to be able to access internal local IP addresses from network behind Asus router what is on the Debian server - there are some docker networks.
I use it for DNS and occasionally to access internet from not my home network via proxy.

 

[Freewill0592]

EDIT: Partially, I have sorted this by using following script what will add all the neccessary configuration to files and also it ads routes....
This time I had to use in the /etc/strongswan.d/charon.conf file "yes" to add routes... with my previous setup i was using no, also i am still using not to add interfaces and it works.

rwardn/sh
cat >> /etc/ipsec.conf << EOL
config setup

conn %default
  ikelifetime=28800s
  keylife=3600s
  rekeymargin=3m
  keyingtries=1
  authby=secret

conn asus
  mobike=no
  leftupdown=/jffs/scripts/pre_ipsecscipt.sh
  keyexchange=ikev2
  ike=aes256-sha256-modp2048!
  esp=aes256-sha256-modp2048!
  left=%defaultroute
  leftfirewall=no  
  leftsubnet=10.99.195.0/24
  leftid=10.99.195.254
  rightid=10.98.195.1
  right=100.100.100.100
  rightsubnet=10.98.195.0/24
  auto=start
  dpdaction=clear
  dpddelay=30s
  dpdtimeout=120s

conn Host-to-Net
  keyexchange=ikev1
  left=%defaultroute
  #receive web value#left=
  leftsubnet=0.0.0.0/0
  leftfirewall=yes
  #interface=wan
  leftauth=psk
  right=%any
  rightauth=psk
  rightauth2=xauth
#sourceip_en=1
  rightsourceip=10.110.111.0/24
  rightdns=10.99.195.254
  ike=aes256-sha1-modp1024
  dpdtimeout=30s
  dpdaction=clear
  dpddelay=10s
  auto=add

#Host-to-NET[prof#1]:4>Host-to-Netv2>null>null>wan>>0>null>null>null>null>null>null>1>10.110.111>null>2>null>null>0>192.168.1.115>null>null>0>>>eap-mschapv2>1>500>4500>10>1>null>null>null>null><<<<>1>pubkey>svrCert.pem>always>svrKey.pem>%identity


conn Host-to-Netv2
  keyexchange=ikev2
  mobike=no
  left=%defaultroute
  #receive web value#left=
  leftsubnet=0.0.0.0/0
  leftfirewall=yes
  #interface=wan
  leftauth=pubkey
  leftid=192.168.1.115
  leftcert=svrCert.pem
  #leftsendcert is the key point for iOS devices
  leftsendcert=always
  eap_identity=%identity
  right=%any
  rightauth=eap-mschapv2
#sourceip_en=1
  rightsourceip=10.110.111.0/24
  rightdns=10.99.195.254
  ike=aes256-sha1-modp1024
  dpdtimeout=30s
  dpdaction=clear
  dpddelay=10s
  auto=add
EOL

cat > /etc/ipsec.secrets << EOL
10.99.195.254 10.98.195.1 : PSK GFkjashj£fasjkvo_kjfnashj
 %any : PSK GFkjashj£fasjkvo_kjfnashj
EOL

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Strongswan Config
cat > /etc/strongswan.conf << EOF
charon {
        user = me
[B]        install_virtual_ip = no
        install_routes = yes[/B]
        #threads = 8
        #send_vendor_id = yes
        #max_packet = 64000
        #interfaces_ignore = br0
        starter { load_warning = no }
        load_modular = yes
        #i_dont_care_about_security_and_use_aggressive_mode_psk = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        filelog {
                charon {
                        path = /var/log/strongswan.charon.log
                        time_format = %b %e %T
                        default = 1
                        append = no
                        flush_line = yes
                }
        }
}
EOF

ipsec rereadall
ipsec reload

sleep 2
ipsec restart

And on the Debian server I have similar config just swapped Left and Right side

 

[Freewill0592]

Well the VPN is established, I can ping from server to the Asus router network and access stuff but not the other way.
1. I can ping from LAN devices some time to Server but cannot access dns or any web ports.
While I cannot ping from LAN devices I can ping from Asus router to Server and access DNS and web ports with curl.
- when i try to access the website from LAN device on server, I can see in server logs my ip accessed it but I got no response back ( at that time pings were working ok)

2. But most of the time i am not able to ping from Asus router or LAN to server at all while server can access LAN network ok...

I have no idea what is wrong as disabling firewall on both sides does not do anything.
It works sometimes after restart as the point 1. but than nothing...
I am just loosing mind what is going on there.