What's new

Asus IPSEC Vpn Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

well, my ikev2 connection from my workstation to home stayed up overnight during a nasty storm, so idk why yours is having trouble, sorry.
This my Ipsec IKE_V2 server status
A picture is better than words, this is my status when I connect from my windows 10 native client

upload_2019-4-30_15-19-2.png

As you can see the client status says "Connecting...", and after 2 to 3 hours access time it disconnects by itself

With my Android client, the status says connected and there are some values in the PSKR Auth Time, and the server or client does not seem to disconnect

upload_2019-4-30_15-56-15.png
 
Last edited:
This my Ipsec IKE_V2 server status
A picture is better than words, this is my status when I connect from my windows 10 native client

View attachment 17304
As you can see the client status says "Connecting...", and after 2 to 3 hours access time it disconnects by itself

With my Android client, the status says connected and there are some values in the PSKR Auth Time, and the server or client does not seem to disconnect

View attachment 17306

Please test with
rekey=no

Code:
pc_append "  dpddelay=10s" $CONFIG
pc_append "  rekey=no" $CONFIG
pc_append "  auto=add" $CONFIG
 
Hello Odkrys
I've tested with rekey=no
Now the ikev2 vpn is up after 4 hours on windows 10 native client (Status says connecting... ) vpn is working great
but after a while 2 -3 hours, I still can't ping my router ip address, and dns resolution does not work anymore....
Vpn is up but nothing pass inside the tunnel, I have to stop the vpn and restart it to make it work again ....

Update:
Today the Ikev2 vpn is up after 5 hours and still working great!
It's working now without disconnecting with windows 10 native client
Thanx for your help

upload_2019-5-3_13-33-9.png
 
Last edited:
when you editted your swanctl.conf, did you ONLY add the 'send_cert = always' line?

also, be sure to remove or comment out the xauth-adriansplit user, don't want to leave yourself open there.

if you only added the line and changed nothing else, re run merlinswan.sh and try to connect again just to be sure. if it still fails, make sure server: mydomain.com AND Remote ID: mydomain.com on iOS. if that's all good, i'd mv and replace your letsencrypt certs, then rerun merlinswan.sh

@sinshiva Many thanks for your help. Finally, I migrated to OpenVPN using Apple Configurator Profiles to let iOS to manage onDemand features. So, I disabled IPSec in any form.
 
Hi all sorry if I'm digging this up. But im trying to get a EAP ipsec server running on my AC88U to connect to with Strongswan on Android but it only seems to support PSK on the ui. I tried this:

@Sh0cker54

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.

nano /jffs/scripts/ipsec.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG

nano /jffs/scripts/strongswan.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" /etc/ipsec.secrets

chmod +x /jffs/scripts/ipsec.postconf /jffs/scripts/strongswan.postconf

but when I run ipsec.postconf i get:

admin@RT-AC88U-3EA8:/jffs/scripts# ./ipsec.postconf
./ipsec.postconf: line 5: can't create : nonexistent directory
./ipsec.postconf: line 6: can't create : nonexistent directory
./ipsec.postconf: line 7: can't create : nonexistent directory
./ipsec.postconf: line 8: can't create : nonexistent directory
./ipsec.postconf: line 9: can't create : nonexistent directory
./ipsec.postconf: line 10: can't create : nonexistent directory
./ipsec.postconf: line 11: can't create : nonexistent directory
./ipsec.postconf: line 12: can't create : nonexistent directory
./ipsec.postconf: line 13: can't create : nonexistent directory
./ipsec.postconf: line 14: can't create : nonexistent directory
./ipsec.postconf: line 15: can't create : nonexistent directory
./ipsec.postconf: line 16: can't create : nonexistent directory
./ipsec.postconf: line 17: can't create : nonexistent directory
./ipsec.postconf: line 18: can't create : nonexistent directory
./ipsec.postconf: line 19: can't create : nonexistent directory
./ipsec.postconf: line 20: can't create : nonexistent directory
./ipsec.postconf: line 21: can't create : nonexistent directory
./ipsec.postconf: line 22: can't create : nonexistent directory
./ipsec.postconf: line 23: can't create : nonexistent directory
./ipsec.postconf: line 24: can't create : nonexistent directory
./ipsec.postconf: line 25: can't create : nonexistent directory
./ipsec.postconf: line 26: can't create : nonexistent directory
./ipsec.postconf: line 27: can't create : nonexistent directory

What am I doing wrong? In the script i simply replaced ddns_hostname_x with my ddns hostname
 
@Sh0cker54

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.

nano /jffs/scripts/ipsec.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG

nano /jffs/scripts/strongswan.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" /etc/ipsec.secrets

chmod +x /jffs/scripts/ipsec.postconf /jffs/scripts/strongswan.postconf
Does this script (rather than using the Web GUI) enable VPN clients to access LAN?
I'm trying to permit VPN users access to a SMB share but I don't think the IPSEC web Permits this?
 
Quick updates regarding Let's Encrypt in the newest version 384.14 Beta with ACMEv2 support. (I was using the LE certificate only for IPSEC IKEv2, with ODKRYS' ipsec.postconf script.)

First, to get LE certificate to authorize in WAN > DDNS, I had to enable the Web UI HTTPS through Administration > System even though I don't plan to use it since I only access web UI on internal network.

Next, to connect to my home IPSEC VPN, I had to modify the following values in ODKRYS' script:

Original: pc_append " cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
New: pc_append " cacert=/jffs/.le/$(nvram get ddns_hostname_x)/ca.cer" $CONFIG

Original: pc_append " leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
New: pc_append " leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/my.domain.cer" $CONFIG

*The fullchain.pem is no longer split into chain.pem + cert.pem.
 
Last edited:
Quick updates regarding Let's Encrypt in the newest version 384.14 Beta with ACMEv2 support. (I was using the LE certificate only for IPSEC IKEv2, with ODKRYS' ipsec.postconf script.)

First, to get LE certificate to authorize in WAN > DDNS, I had to enable the Web UI HTTPS through Administration > System even though I don't plan to use it since I only access web UI on internal network.

Next, to connect to my home IPSEC VPN, I had to modify the following values in ODKRYS' script:

Original: pc_append " cacert=/jffs/.le/$(nvram get ddns_hostname_x)/chain.pem" $CONFIG
New: pc_append " cacert=/jffs/.le/$(nvram get ddns_hostname_x)/ca.cer" $CONFIG

Original: pc_append " leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/cert.pem" $CONFIG
New: pc_append " leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/my.domain.cer" $CONFIG

*The fullchain.pem is no longer split into chain.pem + cert.pem.
yea mine no longer connects after 384.14 even with these changes.
 
All of my stuff is legit the same as it should be, but it is not letting me connect to the server. It is giving me an error that the server is not responding when I try to connect. For a brief second it will show it attempting to connect then the client disappears
 
I think I may be missing some firewall rules on the router maybe?
Have you tried backing up your current config, then doing a 30/30/30 reset and manual reconfigure? You can always restore later if it still doesn't work. :D
 
There is no such thing as a 30/30/30 reset on Asus routers. :)
 
I thought I'd done that with my n66u in the past, but no question that you are right. Holding down for 30 after plugin would put it into recovery mode.

I'd do L&LD's nuclear reset from the link in his sig.
 
Have you tried backing up your current config, then doing a 30/30/30 reset and manual reconfigure? You can always restore later if it still doesn't work. :D
yea it isn't a need to reset. everything else runs as it should. i think there is something broken with steps of this guide. maybe if you post your config steps I could see why mine isn't working as i followed steps from earlier post on setting it up down to the letter.
 
I've noticed a lot of talk about how certain aspects have been incorporated into Merlin, and how others have updated codes or have given specific advice based on Apple OS configurations. So I'm not really confident where to begin and/or end with adding code.

So I'm just asking at this point in 2020 what does someone running Windows 10 have to do to get Ipsec IKE_V2 running?
 
I've noticed a lot of talk about how certain aspects have been incorporated into Merlin, and how others have updated codes or have given specific advice based on Apple OS configurations. So I'm not really confident where to begin and/or end with adding code.

So I'm just asking at this point in 2020 what does someone running Windows 10 have to do to get Ipsec IKE_V2 running?

Hi
ASUS IPSEC IKEv1 XAUTH/PSK server to IKEv1 XAUTH/PSK + IKEv2 EAP server.
Both profiles can run parallel.
You should to get Let's encrypt certificate for your ddns.
Without letsencrypt, you need to generate self-signed certificate and install CA to trusted root CA of each devices. I don't like this progress.

Just follow these threads
IKEv2 server share the same username and password with IKEv1.
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/#post-473984
https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973/page-4#post-531279

Merlin firmware supports ipsec.postconf and strongswan.postconf since 384.9
So no need additional script to build IKEv2 server for windows 10 clients.
Here is my latest ipsec.postconf

nano /jffs/scripts/ipsec.postconf

Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_append "" $CONFIG
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/ca.cer" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "" $CONFIG
pc_append "conn IKEv2-EAP" $CONFIG
pc_append "  keyexchange=ikev2" $CONFIG
pc_append "  left=$(nvram get wan0_ipaddr)" $CONFIG
pc_append "  leftid=@$(nvram get ddns_hostname_x)" $CONFIG
pc_append "  leftsubnet=0.0.0.0/0" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/$(nvram get ddns_hostname_x).cer" $CONFIG
pc_append "  right=%any" $CONFIG
pc_append "  rightdns=$(nvram get lan_ipaddr)" $CONFIG
pc_append "  rightsourceip=10.10.11.0/24" $CONFIG
pc_append "  rightauth=eap-mschapv2" $CONFIG
pc_append "  eap_identity=%any" $CONFIG
pc_append "  dpdtimeout=30s" $CONFIG
pc_append "  dpdaction=clear" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  auto=add" $CONFIG
pc_append "  leftfirewall=yes" $CONFIG
pc_append "  lefthostaccess=yes" $CONFIG
pc_append "  leftauth=pubkey" $CONFIG
pc_append "  dpddelay=10s" $CONFIG
pc_append "  rekey=no" $CONFIG
pc_append "  auto=add" $CONFIG

For windows add connection via powershell:

Add-VpnConnection -Name "home" -ServerAddress YOURDOMAIN.asuscomm.com -TunnelType "Ikev2"
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top