388.1: Cannot set up IPSec VPN on GT-AX6000 (with settings from 386.7_2 on RT-AC86U)

[XIII]

Recently I purchased a GT-AX6000 to replace my RT-AC86U, so that I can run the new 388 firmware.
I managed to manually replicate my old 386.7_2 setup from scratch in 388.1, except for IPSec VPN which keeps failing:

Dec 20 22:07:32 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, Linux 4.19.183, aarch64)
Dec 20 22:07:32 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
Dec 20 22:07:32 00[NET] installing IKE bypass policy failed
Dec 20 22:07:32 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
Dec 20 22:07:32 00[NET] installing IKE bypass policy failed
Dec 20 22:07:32 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
Dec 20 22:07:32 00[NET] installing IKE bypass policy failed
Dec 20 22:07:32 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
Dec 20 22:07:32 00[NET] installing IKE bypass policy failed
Dec 20 22:07:32 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Dec 20 22:07:32 00[CFG]   loaded ca certificate "C=TW, O=ASUS, CN=ASUS ax6000 Root CA" from '/etc/ipsec.d/cacerts/asusCert.pem'
Dec 20 22:07:32 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Dec 20 22:07:32 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Dec 20 22:07:32 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Dec 20 22:07:32 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec 20 22:07:32 00[CFG] loading secrets from '/etc/ipsec.secrets'
Dec 20 22:07:32 00[CFG]   loaded IKE secret for %any
Dec 20 22:07:32 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/svrKey.pem'
Dec 20 22:07:32 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 agent xcbc cmac hmac kdf drbg attr kernel-pfkey kernel-netlink socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Dec 20 22:07:32 00[JOB] spawning 8 worker threads
Dec 20 22:07:32 07[CFG] received stroke: add connection 'Host-to-Net'
Dec 20 22:07:32 07[CFG] adding virtual IP address pool 10.10.10.0/24
Dec 20 22:07:32 07[CFG] added configuration 'Host-to-Net'
Dec 20 22:07:32 01[CFG] received stroke: add connection 'Host-to-Netv2'
Dec 20 22:07:32 01[CFG] reusing virtual IP address pool 10.10.10.0/24
Dec 20 22:07:32 01[CFG]   loaded certificate "C=TW, O=ASUS, CN=192.168.0.2" from 'svrCert.pem'
Dec 20 22:07:32 01[CFG]   id 'REDACATED.asuscomm.com' not confirmed by certificate, defaulting to 'C=TW, O=ASUS, CN=192.168.0.2'
Dec 20 22:07:32 01[CFG] added configuration 'Host-to-Netv2'
Dec 20 22:07:32 00[DMN] SIGINT received, shutting down

When I set up the AC86U long time ago, it was connected to the ISP's router in bridge mode, but last year I switched ISP's.
The new ISP's router does not offer bridge mode, so my new GT-AX6000 is in the DMZ zone of the ISP's router (with IP address 192.168.0.2, as seen in the log above).

What could (I) be (doing) wrong?

How to fix this?

 

[XIII]

@RMerlin Is this something I as a user can/should fix? (Hints?)

Or is this something ASUS (or you) should look into?

 

[RMerlin]

@RMerlin Is this something I as a user can/should fix? (Hints?)

Or is this something ASUS (or you) should look into?

I don't know, I haven't had time to test it. Too many things to deal with this week between wrapping up work stuff before my vacation, the ISP switch, etc...

Generally I should be able to fix any IPSEC-related issue, unless something's broken at the Broadcom hardware crypto level that Strongswan uses, or Strongswan has issues with the kernel version used by that model.

 

[XIII]

Sorry, was not trying to push you.

Would be nice if you can have a look at this at some point in the future (2023?), when you have time for it.

Thank you for all you do for the community. Enjoy the holidays!