What's new

Cisco AnyConnect in Asus routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

XabiX

Occasional Visitor
Hello guys,

I recently bought an Asus RT-AC87U which I am very happy with. Running the latest Asuswrt (380.57) and installed 2 days ago.

My main reason to add a router instead of using the default triple play ADSL box was to setup a permanent VPN tunnel to my office and redirect only specific DNS entries through it.

My main issue is that it seems that only OpenConnect can connect to Cisco IPsec servers. In this case, I add to manually install this package from ssh which makes its configuration not integrated and as simple as the L2TP/P2TP or OpenVPN options in the Asuswrt GUI.

1/ Any reason why openconnect doesn't get added as a default option as Cisco is very popular and this will help the overall configuration with static routes, access to logs, etc...
Any trick to use the existing client to overcome the fact that openconnect is not part of the asuswrt features?

2/ I do: openconnect --no-cert-check --passwd-on-stdin -user=admin urlvpn.com
Even with a echo pwd "" | to script the connection doesn't work. If I remove "--passwd-on-stdin" I always need to re enter the login and the pwd for it to work (seems like the username passed on the cmd line is not correct then) so if I also remove "-user" then it works ok 1st time as I type directly the username and password. Any idea of the issue?

3/ The only way for me to move then fwd is to remove the default gw through the tunnel and put the LAN one back like with
route delete default
route add default gw 192.168.1.1 eth0
then I need to find the best way to redirect some urls through the tunnel (interface tun0). any recommendation ? so far I was entering the manual DNS entries in /jffs/configs/dnsmasq.conf.add and then I was thinking of adding a list of manual static routes but quite long as I have around 20 different URLs.

Thanks guys for taking the time to read and share your recommendations...
It's my 1st post as I am not yet an expert so happy to learn from you!

XabiX
 
ASUSWRT doesn't support IPsec in its kernel.

Maybe good for you to write to Asus and request IPsec support in their future firmware releases.
 
ASUSWRT doesn't support IPsec in its kernel.

Maybe good for you to write to Asus and request IPsec support in their future firmware releases.

Hi Kvic, I have done so by contacting Asus support but I don't expect any solution before months or years :)
Will update with the answer but any other recommendation?

Merci
 
any other recommendation?

I think the setup in office isn't in your control. Or else you might consider setting up an OpenVPN tunnel between office and home..

For IPsec you'll need support from linux kernel - the encrypt & decrypt of payloads and packet uncap & decap all have to be performed in kernel space. If your only option is running a IPsec tunnel, little choice on your Asus router.

There is IPsec in user land but I haven't tried. I don't expect performance will be good. If you want to explore this possibility, you can check StrongSwan and its libipsec plugin (that handles user land IPsec).

It might be possible with OpenConnect and user land IPsec. But I have no experience with OpenConnect so I can't really comment. I read it's not as well maintained as others e.g. strongSwan.
 
Last edited:
Thanks Kvic.

FYI when I connect from the Asus router, I get:
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
/opt/lib/netifd/vpnc-script: line 527: seq: not found
/opt/lib/netifd/vpnc-script: line 527: can't create /etc/resolv.conf: Read-only file system
Connected tun0 as 10.175.250.47 + 2606:b400:8f0:82:8000::65/64, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
if I do the same from my Ubuntu virtualbox which it's working I get:
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 10.175.244.41 + 2606:b400:8f0:82:8000::2a, using SSL
Established DTLS connection (using OpenSSL)​

is this confirmed then that I will be missing the Ipsec drivers in the kernel or is the tunnel being established from the Asus should be working?

Is there a command or something to check before having to start moving to StrongSwan?

 
Thanks Kvic.

FYI when I connect from the Asus router, I get:
Got CONNECT response: HTTP/1.1 200 OK​
CSTP connected. DPD 30, Keepalive 20​
/opt/lib/netifd/vpnc-script: line 527: seq: not found​
/opt/lib/netifd/vpnc-script: line 527: can't create /etc/resolv.conf: Read-only file system​
Connected tun0 as 10.175.250.47 + 2606:b400:8f0:82:8000::65/64, using SSL​
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).​
if I do the same from my Ubuntu virtualbox which it's working I get:
Got CONNECT response: HTTP/1.1 200 OK​
CSTP connected. DPD 30, Keepalive 20​
Connected tun0 as 10.175.244.41 + 2606:b400:8f0:82:8000::2a, using SSL​
Established DTLS connection (using OpenSSL)​

is this confirmed then that I will be missing the Ipsec drivers in the kernel or is the tunnel being established from the Asus should be working?

Is there a command or something to check before having to start moving to StrongSwan?

Hello there, I realize this is quite an old post, but did you ever figure out how to do this in a better way? I am currently trying to do the same.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top