What's new

Asus IPSEC Vpn Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

wild guess, but i read somewhere that iOS proposes ciphers that it wont actually use (specifically >modp1024), maybe defaults changed between versions or something, so try the ciphers i'm using by adding the following;

ike = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
esp = aes128gcm128-ecp384bp-noesn,aes256-sha256,aes256-sha1

This will force iOS to use ecp256, which it does merrily for me.

Tried, but ipsec keeps crashing. This is the log:
Code:
07[NET] received packet: from 213.143.61.85[3005] to 192.168.1.10[500] (604 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
07[IKE] 213.143.61.85 is initiating an IKE_SA
07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
07[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[3005] (58 bytes)
07[NET] received packet: from 213.143.61.85[3005] to 192.168.1.10[500] (412 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
07[IKE] 213.143.61.85 is initiating an IKE_SA
07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
07[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[3005] (301 bytes)
13[NET] received packet: from 213.143.61.85[3008] to 192.168.1.10[4500] (512 bytes)
13[ENC] unknown attribute type (25)
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
13[CFG] looking for peer configs matching 192.168.1.10[mydomain.com]...213.143.61.85[iOS]
13[CFG] selected peer config 'IKEv2-EAP'
13[IKE] initiating EAP_IDENTITY method (id 0x00)
13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
13[IKE] peer supports MOBIKE
 
honestly, this still looks like the leftsendcert directive being the issue to me, i was stuck on it for a minute. idk why it would work with my swanctl.conf style config and not your ipsec.conf config, though.

[edit/] could be my mistake, try leftsendcert=yes
 
honestly, this still looks like the leftsendcert directive being the issue to me, i was stuck on it for a minute. idk why it would work with my swanctl.conf style config and not your ipsec.conf config, though.
I understand that you use swanctl.conf style config and your iOS devices connect well using user/password, no?
 
yes, but try the edit in my last first
Hello again @sinshiva

I configured your setup, and I modified with my network values. But now, iOS is telling me that user/password are wrong. Where I must put user/password?

Log:
Code:
12[NET] received packet: from 213.143.61.85[15831] to 192.168.1.10[500] (604 bytes)
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
12[IKE] 213.143.61.85 is initiating an IKE_SA
12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
12[IKE] local host is behind NAT, sending keep alives
12[IKE] remote host is behind NAT
12[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
12[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
12[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[15831] (58 bytes)
14[NET] received packet: from 213.143.61.85[15831] to 192.168.1.10[500] (412 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
14[IKE] 213.143.61.85 is initiating an IKE_SA
14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
14[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[15831] (301 bytes)
05[NET] received packet: from 213.143.61.85[15824] to 192.168.1.10[4500] (512 bytes)
05[ENC] unknown attribute type (25)
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
05[CFG] looking for peer configs matching 192.168.1.10[mydomain.com]...213.143.61.85[iOS]
05[CFG] selected peer config 'ikev2-eap-mschapv2'
05[IKE] initiating EAP_IDENTITY method (id 0x00)
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE] peer supports MOBIKE
05[IKE] no private key found for 'mydomain.com'
05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
05[NET] sending packet: from 192.168.1.10[4500] to 213.143.61.85[15824] (80 bytes)
 
in my config, at the bottom is where i configure my users;

un: adrian
pw: adriansecret

as an example

<edit/>

it looks like your server key is the problem, though.

do you have the merlinswan.sh created and configured to add the location of your server.key to /etc/ipsec.secrets ?
 
in my config, at the bottom is where i configure my users;

un: adrian
pw: adriansecret

as an example

<edit/>

it looks like your server key is the problem, though.

do you have the merlinswan.sh created and configured to add the location of your server.key to /etc/ipsec.secrets ?

It is crashing again :( I don't know why doesn't work.

Log:
Code:
05[NET] received packet: from 213.143.61.85[30604] to 192.168.1.10[500] (604 bytes)
05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
05[IKE] 213.143.61.85 is initiating an IKE_SA
05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
05[IKE] local host is behind NAT, sending keep alives
05[IKE] remote host is behind NAT
05[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
05[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
05[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[30604] (58 bytes)
06[NET] received packet: from 213.143.61.85[30604] to 192.168.1.10[500] (412 bytes)
06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
06[IKE] 213.143.61.85 is initiating an IKE_SA
06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
06[IKE] local host is behind NAT, sending keep alives
06[IKE] remote host is behind NAT
06[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
06[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[30604] (301 bytes)

swanctl.conf
Code:
# In this config, I am creating two XAUTH user conns for Cisco IPSEC clients (iOS) and a fairly universal IKEv2 conn
# One will pass all traffic.  The other will split-tunnel.
# This is not an ideal config for scale.  Better to use the 'include' directive to a swanctl_base.conf

connections {

    ikev2-eap-mschapv2 { # IKEv2 instance designed for splittunnel/routeall compatible with WINDOWS
        version = 2
        proposals = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
        rekey_time = 0s
        pools = pool-windows
        fragmentation = yes
        dpd_delay = 30s
        local-1 {
            certs = /jffs/.le/mydomain.com/cert.pem
            id = mydomain.com
        }
        remote-1 {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            ikev2-eap-mschapv2 {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128gcm128-ecp384bp-noesn,aes256-sha256,aes256-sha1
                updown = /usr/lib/ipsec/_updown iptables
                hostaccess = yes
            }
        }
    }

}

pools {
    pool-splittunnel { # SPLIT TUNNEL TO HOME LAN 192.168.68.0/24
        addrs = 172.28.69.0/24
        dns = 10.0.0.1
        28674 = "YOURLAN.local"
        28675 = "YOURLAN.local"
        split_include = 10.0.0.0/24 # REPLACE WITH YOUR LAN
    }


    pool-routeall { # ROUTE ALL
        addrs = 172.28.68.0/24
        dns = 10.0.0.1
    }

    pool-windows {
    addrs = 10.0.0.144/28 # range WITHIN lan subnet for splittunnel
    dns = 10.0.0.1
    }

}

authorities {
    letsencrypt {
        cacert = /jffs/.le/mydomain.com/chain.pem
    }
}

secrets {
    ike-one {
        secret = "nospaces"
    }

    xauth-adrian {
        id = myuser
        secret = "mypassword"
    }
    xauth-adriansplit {
        id = adriansplit
        secret = "adriansplitsecret"
    }
#    rsa {
#        file = domain.key # absolute path no worky, use /etc/ipsec.secrets for server key.
#    }
}
 
paste the merlinswan.sh and service-start scripts - i don't think you are loading the server key
 
paste the merlinswan.sh and service-start scripts - i don't think you are loading the server key
cat /etc/ipsec.secrets
Code:
: RSA /jffs/.le/mydomain.com/domain.key

cat /jffs/scripts/merlinswan.sh
Code:
#!/bin/sh

ipsec stop
sleep 1s
echo > /etc/ipsec.conf
echo > /etc/ipsec.secrets
echo ": RSA /jffs/.le/$(nvram get ddns_hostname_x)/domain.key" >> /etc/ipsec.secrets
cp -f /jffs/configs/swanctl.conf /etc/swanctl/swanctl.conf
ipsec start
sleep 1s
swanctl --load-all

cat /jffs/scripts/services-start
Code:
#!/bin/sh

sleep 1s
/bin/sh /jffs/scripts/merlinswan.sh

/etc/ipsec.conf is empty.

And many thanks for your help!
 
ok, one other question, i see the server is configured with 10.0.0.0/24 as your lan subnet and you have 192.168.1.0/24 in connect logs, what's that about?

also, run /jffs/scripts/service-start and then try to connect one more time

[edit/]

probably wouldn't hurt to change xauth-adrian to xauth-myuser btw
 
ok, one other question, i see the server is configured with 10.0.0.0/24 as your lan subnet and you have 192.168.1.0/24 in connect logs, what's that about?

also, run /jffs/scripts/service-start and then try to connect one more time

[edit/]

probably wouldn't hurt to change xauth-adrian to xauth-myuser btw

Change xauth-adrian to xauth-myuser and nothing has changed.

My network is:
Internet - (WAN Public IP addr) ISP router (LAN 192.168.1.1) - (WAN 192.168.1.10) ASUS Router (LAN 10.0.0.1) MyNetwork 10.0.0.0/24
My ISP Router has as DMZ 192.168.1.10, that is ASUS Router.
 
Change xauth-adrian to xauth-myuser and nothing has changed.

My network is:
Internet - (WAN Public IP addr) ISP router (LAN 192.168.1.1) - (WAN 192.168.1.10) ASUS Router (LAN 10.0.0.1) MyNetwork 10.0.0.0/24
My ISP Router has as DMZ 192.168.1.10, that is ASUS Router.

double nat? are you forwarding port 4500 on isp router to asus router? and then are you trying to connect from LTE, not wifi?
 
double nat? are you forwarding port 4500 on isp router to asus router? and then are you trying to connect from LTE, not wifi?
double nat? Yes
are you forwarding port 4500 on isp router to asus router? Yes, I forward all TCP and UDP ports (1-65535).
are you trying to connect from LTE, not wifi? Of course. Here is 4G.

The case is that my IKEv2 setup worked fine until 384.10 release.
 
run merlinswan.sh then post new connect logs from swanctl --log
 
run merlinswan.sh then post new connect logs from swanctl --log

./merlinswan.sh
Code:
Stopping strongSwan IPsec...
Starting weakSwan 5.7.2 IPsec [starter]...
loaded ike secret 'ike-one'
loaded xauth secret 'xauth-myuser'
loaded xauth secret 'xauth-adriansplit'
loaded authority 'letsencrypt'
successfully loaded 1 authorities, 0 unloaded
loaded pool 'pool-splittunnel'
loaded pool 'pool-routeall'
loaded pool 'pool-windows'
successfully loaded 3 pools, 0 unloaded
loaded connection 'ikev2-eap-mschapv2'
successfully loaded 1 connections, 0 unloaded

swanctl --log
Code:
14[NET] received packet: from 213.143.61.85[22805] to 192.168.1.10[500] (604 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
14[IKE] 213.143.61.85 is initiating an IKE_SA
14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
14[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[22805] (58 bytes)
07[NET] received packet: from 213.143.61.85[22805] to 192.168.1.10[500] (412 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
07[IKE] 213.143.61.85 is initiating an IKE_SA
07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
07[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[22805] (301 bytes)
11[NET] received packet: from 213.143.61.85[22811] to 192.168.1.10[4500] (512 bytes)
11[ENC] unknown attribute type (25)
11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
11[CFG] looking for peer configs matching 192.168.1.10[mydomain.com]...213.143.61.85[iOS]
11[CFG] selected peer config 'ikev2-eap-mschapv2'
11[IKE] initiating EAP_IDENTITY method (id 0x00)
11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
11[IKE] peer supports MOBIKE

And then, VPN server crashes and restarts.

Syslog:
Code:
Apr 28 22:50:08 ipsec_starter[9688]: charon has died -- restart scheduled (5sec)
Apr 28 22:50:15 ipsec_starter[9688]: charon (9903) started after 1680 ms
 
weird. do you also forward port 500 on the isp router? if so, remove it
 
Last edited:
weird. do you also forward port 500 on the isp router? if so, remove it
I can not remove it. My ISP router sucks, but I need it because it has the ONT built-in and the home-phone.
 
[edit/] JK, i see the problem lol, you are missing 'send_cert = always' , don't think you used my most recent edit of the swanctl.conf

sorry, idk why but one of my edits didn't take or something; your connection should look something like
Code:
    ikev2-eap-mschapv2 { # IKEv2
        version = 2
        proposals = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
        rekey_time = 0s
        pools = pool-ikev2
        fragmentation = yes
        dpd_delay = 30s
        send_cert = always

i corrected it again in my original post
 
Last edited:
[edit/] JK, i see the problem lol, you are missing 'send_cert = always' , don't think you used my most recent edit of the swanctl.conf

sorry, idk why but one of my edits didn't take or something; your connection should look something like
Code:
    ikev2-eap-mschapv2 { # IKEv2
        version = 2
        proposals = aes256-sha256-ecp256,aes256-sha384-ecp384,aes256-sha1-modp1024
        rekey_time = 0s
        pools = pool-ikev2
        fragmentation = yes
        dpd_delay = 30s
        send_cert = always

i corrected it again in my original post

It crashes again, but log is different:
Code:
10[NET] received packet: from 213.143.61.85[56041] to 192.168.1.10[500] (604 bytes)
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
10[IKE] 213.143.61.85 is initiating an IKE_SA
10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
10[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[56041] (58 bytes)
14[NET] received packet: from 213.143.61.85[56041] to 192.168.1.10[500] (412 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
14[IKE] 213.143.61.85 is initiating an IKE_SA
14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
14[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[56041] (301 bytes)
09[NET] received packet: from 213.143.61.85[56042] to 192.168.1.10[4500] (512 bytes)
09[ENC] unknown attribute type (25)
09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
 
It crashes again, but log is different:
Code:
10[NET] received packet: from 213.143.61.85[56041] to 192.168.1.10[500] (604 bytes)
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
10[IKE] 213.143.61.85 is initiating an IKE_SA
10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
10[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[56041] (58 bytes)
14[NET] received packet: from 213.143.61.85[56041] to 192.168.1.10[500] (412 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
14[IKE] 213.143.61.85 is initiating an IKE_SA
14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
14[NET] sending packet: from 192.168.1.10[500] to 213.143.61.85[56041] (301 bytes)
09[NET] received packet: from 213.143.61.85[56042] to 192.168.1.10[4500] (512 bytes)
09[ENC] unknown attribute type (25)
09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

when you editted your swanctl.conf, did you ONLY add the 'send_cert = always' line?

also, be sure to remove or comment out the xauth-adriansplit user, don't want to leave yourself open there.

if you only added the line and changed nothing else, re run merlinswan.sh and try to connect again just to be sure. if it still fails, make sure server: mydomain.com AND Remote ID: mydomain.com on iOS. if that's all good, i'd mv and replace your letsencrypt certs, then rerun merlinswan.sh
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top