Asus IPSEC Vpn Server

[123gizi]

I made simple script to make ASUS IKEv1 XAUTH/PSK server to IKEv1 XAUTH/PSK + IKEv2 EAP server.
Both profiles can run parallel.
You should to get Let's encrypt certificate for your ddns.
Without letsencrypt, you need to generate self-signed certificate and install CA to trusted root CA of each devices. I don't like this progress.

IKEv2 server share the same username and password with IKEv1.


EDIT : https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/#post-473984

Hi,
Noob here - How do I add your script to stock Asus RT-AC86U 3.0.0.4.384_45149?
I have OpenVPN working fine but would like to use the native Win 10 client instead of the 2013 software Asus recommends which might make always on VPN an option. Also, OpenVPN really drains the battery on my Android phone. It seems running as IKEv2 would solve both my problems.

Is this possible? Any guidance would be awesome.
TIA

 

[Odkrys]

stock Asus

No idea.

 

[Sh0cker54]

Hello

I tried the new IKE_v2 server vpn settings ipsec.postconf and strongswan.postconf with no luck on 384.9 and 384.10_2 same results.
The vpn tunnel is connected but I can't ping my own router ip address and there is no dns resolution?
I tried on android and windows 10 same results?

If I connect with my ipsec IKE v1 server it works flawlessly with any firmware from android.
I don't really know what to do to make it work, if anyone can help me thanx.

Update: if I manually assign a DNS server like 1.1.1.1 to my client connection it is working
but still I can't ping my own router and can't access the web interface.

 

[Odkrys]

Hello

I tried the new IKE_v2 server vpn settings ipsec.postconf and strongswan.postconf with no luck on 384.9 and 384.10_2 same results.
The vpn tunnel is connected but I can't ping my own router ip address and there is no dns resolution?
I tried on android and windows 10 same results?

If I connect with my ipsec IKE v1 server it works flawlessly with any firmware from android.
I don't really know what to do to make it work, if anyone can help me thanx.

Can you test to add one more line in ipsec.postconf?
lefthostaccess=yes

pc_append " leftfirewall=yes" $CONFIG 
pc_append " lefthostaccess=yes" $CONFIG
pc_append " leftauth=pubkey" $CONFIG

 

[Sh0cker54]

Can you test to add one more line in ipsec.postconf?
lefthostaccess=yes

pc_append " leftfirewall=yes" $CONFIG
pc_append " lefthostaccess=yes" $CONFIG
pc_append " leftauth=pubkey" $CONFIG

I've added the 3 lines in my ipsec.postconf
Thank you very much, it's working now, I can ping my router, access the web interface and all with IKE_v2 server ipsec vpn on.

You rock!

 

[sinshiva]

Nobody should use IKEv1 _UNLESS_ you have a very specific situation that requires it. My situation is that i use an iPhone/iPad and have T-Mobile. The native iOS L2TP/IPSEC client and the IKEv2 clients fail with T-Mobile's nat64 LTE infrastructure. Because of this, i was running an ASA5505 for a while and had two group profiles, one that would tell my iPhone to route ALL traffic and another to SPLIT-TUNNEL. I *only* intend to use the IKEv1 IPSEC client for iOS. I also borrowed from this thread to add an IKEv2 instance and altered it slightly to be compatible with Windows weirdness regarding splittunnelling.


YOU MUST REVIEW THIS THOROUGHLY AND MODIFY FOR YOUR HOME NETWORK. THIS IS TO SERVE AS AN EXAMPLE AND NOT A DROP-IN SET OF SCRIPTS/CONFIGS.

This utilizes a SWANCTL.CONF based configuration instead of IPSEC.CONF

If somebody would like to improve this, be my guest.

This configuration requires extensive configuration. This was designed with the following in mind:
- Asus DDNS enabled
- letsencrypt enabled
- horrific Asus implementation of IPSEC disabled
- Turn Asus IPSEC on to manage firewall rules automatically.
- My Router = 192.168.68.1
- My Subnet = 192.168.68.0/24
- My DNS = My Router

Create /jffs/scripts/merlinswan.sh

#!/bin/sh

ipsec stop
sleep 1s
echo > /etc/ipsec.conf
echo > /etc/ipsec.secrets
echo ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" > /etc/ipsec.secrets
cp -f /jffs/configs/swanctl.conf /etc/swanctl/swanctl.conf
ipsec start
sleep 1s
swanctl --load-all

chmod +x /jffs/scripts/*

Create /jffs/configs/swanctl.conf

# In this config, I am creating two XAUTH user conns for Cisco IPSEC clients (iOS) and a fairly universal IKEv2 conn
# One will pass all traffic.  The other will split-tunnel.
# This is not an ideal config for scale.  Better to use the 'include' directive to a swanctl_base.conf

connections {

    ikev1-psk-xauth-routeall { # First Cisco IPSEC instance to ROUTE ALL traffic
        version = 1
        proposals = aes128-sha1-modp1024
        rekey_time = 0s
        pools = pool-routeall
        fragmentation = yes
        dpd_delay = 30s
        dpd_timeout = 90s
        local-1 {
            auth = psk
        }
        remote-1 {
            auth = psk
        }
        remote-2 {
            auth = xauth
        xauth_id = adrian
        }
        children {
            ikev1-psk-xauth {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128-sha1
                updown = /usr/lib/ipsec/_updown iptables
            }
        }
    }

    ikev1-psk-xauth-splittunnel { # Second Cisco IPSEC instance to SPLIT-TUNNEL LAN traffic
        version = 1
        proposals = aes128-sha1-modp1024
        rekey_time = 0s
        pools = pool-splittunnel
        fragmentation = yes
        dpd_delay = 30s
        dpd_timeout = 90s
        send_cert = always
        local-1 {
            auth = psk
        }
        remote-1 {
            auth = psk
        }
        remote-2 {
            auth = xauth
        xauth_id = adriansplit
        }
        children {
            ikev1-psk-xauth {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128-sha1
                updown = /usr/lib/ipsec/_updown iptables
            }
        }
    }

    ikev2-eap-mschapv2 { # IKEv2 instance designed for splittunnel/routeall compatible with WINDOWS
        version = 2
        proposals = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
        rekey_time = 0s
        pools = pool-windows
        fragmentation = yes
        dpd_delay = 30s
        send_cert = always
        local-1 {
            certs = /jffs/.le/YOURDOMAIN.asuscomm.com/cert.pem
            id = YOURDOMAIN.asuscomm.com
        }
        remote-1 {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            ikev2-eap-mschapv2 {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128gcm128-ecp384bp-noesn,aes256-sha256,aes256-sha1
                updown = /usr/lib/ipsec/_updown iptables
                hostaccess = yes
            }
        }
    }

}

pools {
    pool-splittunnel { # SPLIT TUNNEL TO HOME LAN 192.168.68.0/24
        addrs = 172.28.69.0/24
        dns = 192.168.68.1
        28674 = "YOURLAN.local"
        28675 = "YOURLAN.local"
        split_include = 192.168.68.0/24 # REPLACE WITH YOUR LAN
    }


    pool-routeall { # ROUTE ALL
        addrs = 172.28.68.0/24
        dns = 192.168.68.1
    }

    pool-windows {
    addrs = 192.168.68.144/28 # range WITHIN lan subnet for splittunnel
    dns = 192.168.68.1
    }
 
}

authorities {
    letsencrypt {
        cacert = /jffs/.le/YOURDOMAIN.asuscomm.com/chain.pem
    }
}

secrets {
    ike-one {
        secret = "nospaces"
    }

    xauth-adrian {
        id = adrian
        secret = "adriansecret"
    }
    xauth-adriansplit {
        id = adriansplit
        secret = "adriansplitsecret"
    }
#    rsa {
#        file = domain.key # absolute path no worky, use /etc/ipsec.secrets for server key.
#    }

/jffs/scripts/services-start

#!/bin/sh

sleep 1s
/bin/sh /jffs/scripts/merlinswan.sh

chmod +x /jffs/scripts/*

 

[sinshiva]

RESOLVED: IKEv2 inside router ip crapola - 'hostaccess = yes' - i was tired, forgive me.

RESOLVED: IKEv2 iOS clients - 'send_cert = always' coolbeans

@Odkrys add leftsendcert=always to fix iOS clients

Cleaned up ciphers;

Recommend using the better cipher for windows by adding connection via powershell:

Add-VpnConnection -Name "home-split" -ServerAddress YOURDOMAIN.asuscomm.com -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "home-split" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup ecp384 -DHGroup ECP384 -PassThru -Force

CORRECTION: Enable Asus IPSEC Server even if using SWANCTL.CONF configuration.

CORRECTION: changed script execution from WAN-START to SERVICES-START

 

[Sh0cker54]

RESOLVED: IKEv2 inside router ip crapola - 'hostaccess = yes' - i was tired, forgive me.

RESOLVED: IKEv2 iOS clients - 'send_cert = always' coolbeans

@Odkrys add leftsendcert=always to fix iOS clients

Cleaned up ciphers;

Recommend using the better cipher for windows by adding connection via powershell:

Add-VpnConnection -Name "home-split" -ServerAddress YOURDOMAIN.asuscomm.com -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "home-split" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup ecp384 -DHGroup ECP384 -PassThru -Force

Thank you for sharing your scripts
I will try to make an IKE_v2 server only and disable IKE_v1 server which seems useless now.
Do you know how to get rid of the 2 - 3 hours limit, my vpn server Ike_v2 disconnects my client every 2 - 3 hours?

 

[sinshiva]

Thank you for sharing your scripts
I will try to make an IKE_v2 server only and disable IKE_v1 server which seems useless now.
Do you know how to get rid of the 2 - 3 hours limit, my vpn server Ike_v2 disconnects my client every 2 - 3 hours?

Not sure, i'd have to play with it more to figure out if that's a server timeout issue or a client issue.

to completely disable ikev1 in the SWANCTL.CONF above, just delete the sections:

ikev1-psk-xauth-routeall {
}
ikev1-psk-xauth-splittunnel {
}

Also a sidenote, it looks like ikev2 on t-mobile is fixed now, so redoing the IPSEC.CONF as SWANCTL.CONF was a waste of time lol. The reason i needed to use SWANCTL.CONF was so i could assign different routing options per-user. Now, my only reason to keep ikev1 is for splittunnel, since iOS doesn't let you switch between routing all traffic and only LAN traffic with IKEv2

 

[sinshiva]

Thank you for sharing your scripts
I will try to make an IKE_v2 server only and disable IKE_v1 server which seems useless now.
Do you know how to get rid of the 2 - 3 hours limit, my vpn server Ike_v2 disconnects my client every 2 - 3 hours?

well, my ikev2 connection from my workstation to home stayed up overnight during a nasty storm, so idk why yours is having trouble, sorry.

 

[Sh0cker54]

well, my ikev2 connection from my workstation to home stayed up overnight during a nasty storm, so idk why yours is having trouble, sorry.

It seems related to my windows client, when I check the server connection under Client Status it is connecting... with no PSKRAUTHTIME value.
When I use my android client everything looks fine, Client Status is connected and PSKRAUTHTIME shows urs value.
I will try to stay connected with my android client more than 3 hours to check if there is any timeout...

 

[Maloon]

RESOLVED: IKEv2 inside router ip crapola - 'hostaccess = yes' - i was tired, forgive me.

RESOLVED: IKEv2 iOS clients - 'send_cert = always' coolbeans

@Odkrys add leftsendcert=always to fix iOS clients

Cleaned up ciphers;

Hello @sinshiva,

I am trying to enable IKEv2 with my iOS devices (iPhone and iPad), but I am not able to do it. When I try to connect, IPSec server crash and restart. Please, can you tell me what I must do?

Many thanks!

 

[sinshiva]

Hello @sinshiva,

I am trying to enable IKEv2 with my iOS devices (iPhone and iPad), but I am not able to do it. When I try to connect, IPSec server crash and restart. Please, can you tell me what I must do?

Many thanks!

Using asuswrt-merlin? Are you using @Odkrys postconf script or the swanctl.conf i posted ?

From ssh, use swanctl --log and post what happens when your iOS devices try to connect

 

[Maloon]

Using asuswrt-merlin? Are you using @Odkrys postconf script or the swanctl.conf i posted ?

From ssh, use swanctl --log and post what happens when your iOS devices try to connect

Hello again, @sinshiva:

I am using @Odkrys postconfig with leftsendcert=always. IKEv2 worked fine for me until version 384.10. Now I have 384.10_2. With 384.9 it works.

Many thanks for your help!!

swanctl --log:

11[CFG] received stroke: loglevel 3 for cfg
08[NET] received packet: from 213.143.61.85[25521] to 192.168.1.10[500] (604 bytes)
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
08[IKE] 213.143.61.85 is initiating an IKE_SA
08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
08[IKE] local host is behind NAT, sending keep alives
08[IKE] remote host is behind NAT
08[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Segmentation fault

 

[sinshiva]

Hello again, @sinshiva:

I am using @Odkrys postconfig with leftsendcert=always. IKEv2 worked fine for me until version 384.10. Now I have 384.10_2. With 384.9 it works.

Many thanks for your help!!

swanctl --log:

11[CFG] received stroke: loglevel 3 for cfg
08[NET] received packet: from 213.143.61.85[25521] to 192.168.1.10[500] (604 bytes)
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
08[IKE] 213.143.61.85 is initiating an IKE_SA
08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
08[IKE] local host is behind NAT, sending keep alives
08[IKE] remote host is behind NAT
08[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Segmentation fault

well, my first guess would be that something is wrong with your certs. i'd do

mv /jffs/.le /jffs/.le_old

and toggle letsencrypt from the webui. after it succeeds in pulling new certs;

toggle the ipsec serveer from the webui

 

[Maloon]

well, my first guess would be that something is wrong with your certs. i'd do

mv /jffs/.le /jffs/.le_old

and toggle letsencrypt from the webui. after it succeeds in pulling new certs;

toggle the ipsec serveer from the webui

Hello again @sinshiva,

I have followed your instructions, and now this is the log before charon crashes:

13[NET] received packet: from 213.143.61.85[28667] to 192.168.1.10[500] (604 bytes)
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
13[IKE] 213.143.61.85 is initiating an IKE_SA
13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
13[IKE] local host is behind NAT, sending keep alives
13[IKE] remote host is behind NAT
13[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
13[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[28667] (493 bytes)
11[NET] received packet: from 213.143.61.85[28669] to 192.168.1.10[4500] (512 bytes)
11[ENC] unknown attribute type (25)
11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
11[CFG] looking for peer configs matching 192.168.1.10[mydomain.com]...213.143.61.85[iOS]
11[CFG] selected peer config 'IKEv2-EAP'
11[IKE] initiating EAP_IDENTITY method (id 0x00)
11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
11[IKE] peer supports MOBIKE

 

[sinshiva]

ok, now it's something wrong with the leftsendcert directive, post your postconf file

 

[Maloon]

Many thanks!

ipsec.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
pc_append "  leftsendcert=always" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG

And the generated ipsec.conf:

conn %default
  keyexchange=ikev1
  authby=secret
  ike=aes256-sha1-modp1024
#Host-to-NET[prof#0]:4>Host-to-Net>null>null>wan>>1>super_secret_preshared_key>null>null>null>null>null>1>10.10.10>null>1>null>null>0>null>null>null>1>>>eap-md5>1>500>4500>10>1>null>null>null>null><<<<>1


conn Host-to-Net
  keyexchange=ikev1
  left=192.168.1.10
  #receive web value#left=
  leftsubnet=0.0.0.0/0
  leftfirewall=yes
  #interface=wan
  leftauth=psk
  right=%any
  rightauth=psk
  rightauth2=xauth
#sourceip_en=1
  rightsourceip=10.10.10.0/24
  rightdns=10.0.0.1
  dpdtimeout=30s
  dpdaction=clear
  dpddelay=10s
  auto=add

ca letsencrypt
  cacert=/jffs/.le/mydomain.com/chain.pem
  auto=add

conn IKEv2-EAP
  keyexchange=ikev2
  left=192.168.1.10
  leftid=@mydomain.com
  leftsubnet=0.0.0.0/0
  leftfirewall=yes
  lefthostaccess=yes
  leftauth=pubkey
  leftcert=/jffs/.le/mydomain.com/cert.pem
  leftsendcert=always
  right=%any
  rightdns=10.0.0.1
  rightsourceip=10.10.11.0/24
  rightauth=eap-mschapv2
  eap_identity=%any
  dpdtimeout=30s
  dpdaction=clear
  dpddelay=10s
  auto=add

 

[Maloon]

ok, now it's something wrong with the leftsendcert directive, post your postconf file

I have replied you in prior message. I forgot to use "post reply". Sorry.

 

[sinshiva]

wild guess, but i read somewhere that iOS proposes ciphers that it wont actually use (specifically >modp1024), maybe defaults changed between versions or something, so try the ciphers i'm using by adding the following;

ike = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
esp = aes128gcm128-ecp384bp-noesn,aes256-sha256,aes256-sha1

This will force iOS to use ecp256, which it does merrily for me.