What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Tutorial Change Strongswan ciphersuite and enable MOBIKE to get rid of terrible VPN speeds

CB7

Occasional Visitor
-EDIT- I fixed this myself, see 2nd post in the thread. This thread is therefore marked as a tutorial now.

Hello,

Running merlin; but I believe this is a stock firmware thing? So posting here, sorry if wrong board.
I'm using the ASUS' built-in Strongswan (so enabling IPSEC VPN with IKEv2 in the ASUS admin panel) and its speeds are absolutely atrocious for some reason. (Eg: without VPN I have a downlink of 480MBit/sec and 25MBit/sec up on 5G; but with VPN enabled it's only 43MBit/sec down and 5MBit/sec up. (Ref: I have 1000/1000 symmetric fiber and speedtests at the home connection are 800MBit/sec on average (up/down), so that's not the problem)). I didn't have this issue when running it on a standalone virtual machine, so looking in to that now.

However; upon analyzing its config, I realized this is part of ASUS stock firmware and therefore I probably don't have unlimited freedom with modifying the configuration.
As such I have two questions I hope someone may be able to answer:

1.) MOBIKE is disabled, does anyone know of any objection against enabling it on ASUS routers?
2.) I noticed the ciphersuite in use is deprecated and not the best for performance. It is using "aes256-sha1-modp1024" which is both a crappy hashing algorithm as well as poor DH groups. I'd prefer using ChaCha20 but I'm not sure if that's a good fit for the ASUS hardware, so I suppose aes256-sha256-modp2048 would have to do; or maybe for performance reasons go for aes256-sha256-ecp256 instead. I was also wondering for this one if anyone knows if there are any major objections in to doing so or that it should be smooth sailing. (Or maybe someone tried something different already, please do tell. :))

Hope its not too much of a niche question. Thanks in advance! :)

-edit-
Ah... As it turns out, the router keeps resetting this file whenever it reboots. :(
-edit2- Fixed the above problem. See post below.
 
Last edited:
Alright, so revisiting this anyway as I couldn't live with the terrible speeds I was getting from the IKEv2 on my AX3000Gv2:
- The first thing I did was enable MOBIKE as this improves stability AND allows for much easier transition between 5G and WiFi (or when roaming: different carrier).
- I modified the DPD settings to be a.) less aggressive (so less overhead), b.) try to re-establish connection instead of clearing the peer immediately.
- I changed the ciphersuites. The ciphers are based around ChaCha20 which is very lenient on CPU, very fast and considered highly secure. I forced the same type on ESP to ensure consistency and similar speed on that front.

This increased the speed on 5G<>VPN from an average of ~30MBit/sec up/down to an average of ~90MBit/sec up/down (with peaks to 130MBit, where before 30 was the max I could squeeze out of it). This is still nowhere near the ~900MBit/sec on average I get on WiFi and the +/- ~300MBit/sec average I do on 5G without the VPN enabled: but at least now its an acceptable speed, lower latency and for me this is more than ample speed for daily usage on my iPhone.

If you wish to do the same and make it permanent, here is what I did:

In the "conn Host-to-Netv2" section of /tmp/etc/ipsec.conf, modify the following variables to read like this:
Code:
  mobike=yes
  ike=chacha20poly1305-prfsha256-curve25519
  esp=chacha20poly1305
  dpdtimeout=30s
  dpdaction=restart
  dpddelay=10s
You can open the file with nano (nano /tmp/etc/ipsec.conf), make the changes and then save & exit with CTRL+X.
(Note that "esp", contrary to the other variables, will not be defined already. Its a new addition to ensure consistency in ciphers; so copy/paste that in below the ike variable. Manually change the rest.)
(Note2: if you so happen to have an ASUS router with AES-NI (hardware acceleration for AES), then I'd suggest using aes256-sha256-ecp256 for ike and aes256gcm128 for esp instead of ChaCha20.)
If you want to test the new configuration, run command: ipsec stop && sleep 2s && ipsec start

To make it permanent and survive a reboot, following changes were made (note: this assumes you already have the /jffs/configs and /jffs/scripts directories):
after making the changes to ipsec.conf described above, do the following:
Run command: cp /tmp/etc/ipsec.conf /jffs/configs/ipsec.conf
Run command: touch /jffs/scripts/strongswan.sh && chmod +x /jffs/scripts/strongswan.sh
Then: nano /jffs/scripts/strongswan.sh and input:
Bash:
#!/bin/sh

#Stop StrongSwan and wait a second to be sure the process exited cleanly
ipsec stop
sleep 1s

#Replace the bad default ipsec.conf with the proper copy and wait a second to ensure the operation completed
echo > /etc/ipsec.conf
cp -f /jffs/configs/ipsec.conf /tmp/etc/ipsec.conf
sleep 1s

#Start StrongSwan again to get going
ipsec start
Then, Run command: echo "/bin/sh /jffs/scripts/strongswan.sh # Modify ipsec.conf to ChaCha20 and enable MOBIKE" >> /jffs/scripts/post-mount

That's it. Your ciphersuite is now changed to use ChaCha20, MOBIKE is enabled and the changes will be made permanent and survives a reboot of the router. (Well it doesn't exactly survive, rather: jffs scripts will undo the damage done by a reboot. ;))
If anyone has a better way of of doing this, please feel more than free to chime in.

Now, sometimes when the router changes settings (not necessarily related to the VPN itself) it will revert ipsec.conf to its default values as well without a reboot. Quite annoying. JFFS only fixes the ipsec.conf after a reboot, but not at any other time so it won't recover until the next reboot OR a manual intervention. To fix that, we'll create a cronjob.

Create file: nano /jffs/scripts/strongswancron.sh
Input the following:
Bash:
#!/bin/sh

# Define the pattern to search for
PATTERN="chacha20poly1305-prfsha256-curve25519"

# Check if /etc/ipsec.conf contains the pattern
if grep -q "$PATTERN" /etc/ipsec.conf; then
    # Pattern found, no action required
    # Unhash line below for debugging
    # echo "$(date): IPSEC DEBUG No action taken." >> /var/log/cron.log
    exit 0
fi

# Proceed if the pattern is not found
ipsec stop
sleep 1s

# Clear and update ipsec.conf
echo > /etc/ipsec.conf
cp -f /jffs/configs/ipsec.conf /tmp/etc/ipsec.conf
sleep 1s

# Restart IPsec service
ipsec start

# Log the action for traceability
echo "$(date): Found missing ChaCha20 policy. Configuration updated and IPsec restarted." >> /var/log/cron.log
NOTE: if you're using aes256-sha256-ecp256 because you have a more powerful router with dedicated AES chip, change the pattern to "aes256-sha256-ecp256".
CTRL + X to save.
Then run command: chmod +x /jffs/scripts/strongswancron.sh

Then, create the cronjob:
Run command: nano /jffs/services-start
Insert this at the end:
Code:
cru a ipsec_check "*/5 * * * * /jffs/scripts/strongswancron.sh"
(Change at will. This check currently runs every 5 minutes, every hour, every day. Should be moooooore than enough, the config should hardly ever be overwritten at times other than reboot. If anything, you may wish to consider running this less frequently; not more frequently.)
CTRL + X to save.

The first time, either reboot the router or manually run this command to activate the cronjob: cru a ipsec_check "*/5 * * * * /jffs/scripts/strongswancron.sh"

That's it, the router will now check every 15 minutes whether or not the ipsec.conf is "faulty" and no longer contains ChaCha20. If it does contain the correct ciphersuite: it does absolutely nothing. Doesn't write any logs either, that's useless. If it finds a bad configuration: it forcefully updates and then writes a line to /var/log/cron.log.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Back
Top