What's new

IKEv2 client on Merlin Firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Odkrys

Senior Member
This is very alpha level.

For HND ARM Routers. RT-AC86U, RT-AX88U

https://drive.google.com/open?id=1wqDcJDUp8p3MRXlOFY8AKkeZR9ecEAMf

Code:
opkg install /path/ikev2client_alpha-2_aarch64-3.10.ipk

For SDK 7.14 ARM Routers. RT-AC3100, RT-AC88U, RT-AC5300

Download and unzip ipk file after that copy them to proper place.


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

CAPATH is self-signed ca certificate file name.
For example protonvpn.der, NordVPN.pem
This is provided by VPN provider.

https://protonvpn.com/support/linux-ikev2-protonvpn/
https://support.nordvpn.com/Connect...nect-to-NordVPN-with-IKEv2-IPSec-on-Linux.htm

Some providers use certificates signed by a known CA.
Code:
opkg install ca-certificates
export CAPATH=/opt/etc/ssl/certs


ID and Password are normally your account of VPN service.

This setting is expected to be compatible with most VPN providers.

nano /opt/etc/init.d/S90ikev2
Code:
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD

Done.
Code:
/opt/etc/init.d/S90ikev2 start


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

For Policy Based Routing.

You can easily send the packets you want to the VPN using SNAT.

nano /opt/etc/ikev2/ikev2-updown.sh
Code:
    up-client)
                iptables -t nat -I POSTROUTING -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

Just change them like
Code:
    up-client)
                iptables -t nat -I POSTROUTING -s 192.168.50.100 -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -s 192.168.50.100 -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

And uncomment this line to ignore dns pushing of server.

nano /opt/etc/init.d/S90ikev2
Code:
#For Policy Based Routing
#sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf

-> sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf
 
Last edited:
To RT-AC68U, RT-AC87U, RT-AC3200 users.

If you are interested, please install and test entware strongswan.

Code:
opkg install strongswan strongswan-charon strongswan-ipsec strongswan-mod-eap-identity \
strongswan-mod-eap-mschapv2 strongswan-mod-kernel-netlink strongswan-mod-nonce strongswan-mod-pem \
strongswan-mod-openssl strongswan-mod-pubkey strongswan-mod-resolve strongswan-mod-stroke \
strongswan-mod-socket-default strongswan-mod-socket-dynamic strongswan-mod-updown

sed -i "s|/etc|/opt/etc|g" /opt/etc/init.d/S90ikev2
sed -i "s|/usr/sbin/ipsec|/opt/sbin/ipsec|g" /opt/etc/init.d/S90ikev2
sed -i "s|/opt/opt/|/opt/|g" /opt/etc/init.d/S90ikev2
sed -i "s|include strongswan.d|include /opt/etc/strongswan.d|g" /opt/etc/ikev2/strongswan.conf
sed -i "s|# file =|file =|g"  /opt/etc/strongswan.d/charon/resolve.conf

And follow the guide.
 
Last edited:
This is very alpha level.

For HND ARM Routers. RT-AC86U, RT-AX88U

https://drive.google.com/open?id=1YvY8vupBq3xJtWoLYysh-4rlDeyfIS13

Code:
opkg install /path/ikev2client_alpha-2_aarch64-3.10.ipk

For SDK 7.14 ARM Routers. RT-AC3100, RT-AC88U, RT-AC5300

Download and unzip ipk file after that copy them to proper place.


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

CAPATH is self-signed ca certificate file name.
For example protonvpn.der, NordVPN.pem
This is provided by VPN provider.

https://protonvpn.com/support/linux-ikev2-protonvpn/
https://support.nordvpn.com/Connect...nect-to-NordVPN-with-IKEv2-IPSec-on-Linux.htm

ID and Password are normally your account of VPN service.

This setting is expected to be compatible with most VPN providers.

nano /opt/etc/init.d/S90ikev2
Code:
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD

Done.
Code:
/opt/etc/init.d/S90ikev2 start


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

For Policy Based Routing.

You can easily send the packets you want to the VPN using SNAT.

nano /opt/etc/ikev2/ikev2-updown.sh
Code:
    up-client)
                iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

Just change them like
Code:
    up-client)
                iptables -t nat -I POSTROUTING -s 192.168.50.100 -o eth0 -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -s 192.168.50.100 -o eth0 -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

And uncomment this line to ignore dns pushing of server.

nano /opt/etc/init.d/S90ikev2
Code:
#For Policy Based Routing
#sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf

-> sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf

What path did you use to add to CA PATH for NordVPN?

I tried to use this from the NordVPN link and then another modified one but I keep getting an error:

Code:
 https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der


Sent from my iPhone using Tapatalk
 
Where is wget?

Don't save it at /etc it will disappear when you reboot router.
/jffs or usb drive.

Yes I used /jffs... but couldn’t tell which link to use to retrieve the the certificate.

When looking at NordVPN’s site, it says to use this first:

Code:
 sudo wget https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der

And then:

Code:
 sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

So wasn’t sure which to use.


Sent from my iPhone using Tapatalk
 
Yes I used /jffs... but couldn’t tell which link to use to retrieve the the certificate.

When looking at NordVPN’s site, it says to use this first:

Code:
 sudo wget https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der

And then:

Code:
 sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

So wasn’t sure which to use.


Sent from my iPhone using Tapatalk

And that was about this section. Sorry I wasn’t more specific:

Code:
 nano /opt/etc/init.d/S90ikev2

Code:
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD


Sent from my iPhone using Tapatalk
 
And that was about this section. Sorry I wasn’t more specific:

Code:
 nano /opt/etc/init.d/S90ikev2

Code:
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD


Sent from my iPhone using Tapatalk

no sudo in router..
CA path is place of certificate it is up to user.
 
Last edited:
no sudo in router..
CA path is replace of certificate it is up to user.[/QUOTE

Yes, I used this instead and modified it to be saved in /jffs/:
Code:
wget https://downloads.nordvpn.com/certificates/root.der -O /jffs/NordVPN.der

Is this right?

Also, I wasn'st sure what to make of this from the NordVPN website:

Code:
 sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

Would you be able to give an example on how you saved this certificate?
 
How do you go from NordVPN.der to NordVPN.pem?
 
@Odkrys - Are you able to give describe the steps you followed to download a NordVPN RSA certificate?

did you do this first:

Code:
wget https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der

and if /jffs/ should be used instead of /etc/, what /jffs/ folder would be more appropriate to save this. And how would the command above look like?

and what about this:

Code:
openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

I am sure this would have to be modified based on /jffs/ folder on the first command. But what about the NordVPN.pem piece? Would this be saved in /jffs/ as well?

Thanks!
 
@Marin I don't know what is your problem.
The reason for changing the place is because the certificate disappears when you reboot.
Whether you use /jffs or /opt is your mind.
The code below is to change the format of the certificate. It doesn't matter if you don't.
der and pem both fine.
 
Managed to setup IKEv2 client with NordVPN by following the steps above.
However, the connection drops after 45 minutes (changes from Connected to Connecting state, then disconnected at 47 minutues).
Nothing was logged when the connection dropped and Strongswan was not stopped after the connection dropped.
 
I tried this setup on my RT-AC88U.
The connection seems correctly established ("connection 'ikev2' established successfully"), but then all of my devices lost the access to internet after that. Only the router itself has access to Internet (I can still use curl or wget for example using ssh) and I can see that my ip address is the one from my vpn provider if I use the following command:
Bash:
curl ipecho.net/plain; echo

I suspect that maybe something in my iptables prevent my devices to access internet through my ikve2 connection, but I am not very familiar with iptables ...

If anyone has any idea how I can sort this out, it would be much appreciated

Thanks!
 
This is very alpha level.

For HND ARM Routers. RT-AC86U, RT-AX88U

https://drive.google.com/open?id=1wqDcJDUp8p3MRXlOFY8AKkeZR9ecEAMf

Code:
opkg install /path/ikev2client_alpha-2_aarch64-3.10.ipk

For SDK 7.14 ARM Routers. RT-AC3100, RT-AC88U, RT-AC5300

Download and unzip ipk file after that copy them to proper place.


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

CAPATH is self-signed ca certificate file name.
For example protonvpn.der, NordVPN.pem
This is provided by VPN provider.

https://protonvpn.com/support/linux-ikev2-protonvpn/
https://support.nordvpn.com/Connect...nect-to-NordVPN-with-IKEv2-IPSec-on-Linux.htm

Some providers use certificates signed by a known CA.
Code:
opkg install ca-certificates
export CAPATH=/opt/etc/ssl/certs


ID and Password are normally your account of VPN service.

This setting is expected to be compatible with most VPN providers.

nano /opt/etc/init.d/S90ikev2
Code:
export CAPATH=CA path        for example) /jffs/protonvpn.der
export HOST=IP or DDNS       for exmaple) us-01.protonvpn.com
export ID=YOUR ID
export PASSWORD=YOUR PASSWORD

Done.
Code:
/opt/etc/init.d/S90ikev2 start


ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ

For Policy Based Routing.

You can easily send the packets you want to the VPN using SNAT.

nano /opt/etc/ikev2/ikev2-updown.sh
Code:
    up-client)
                iptables -t nat -I POSTROUTING -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

Just change them like
Code:
    up-client)
                iptables -t nat -I POSTROUTING -s 192.168.50.100 -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    down-client)
                iptables -t nat -D POSTROUTING -s 192.168.50.100 -o eth0 ! -p esp -j SNAT --to-source ${PLUTO_MY_SOURCEIP} 2>/dev/null

And uncomment this line to ignore dns pushing of server.

nano /opt/etc/init.d/S90ikev2
Code:
#For Policy Based Routing
#sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf

-> sed -i "s|load = yes|load = no|g" /etc/strongswan.d/charon/resolve.conf

Hello Odkrys,

Could you please update download link, it is not working?
Also do you have updated version for RT-AX86U 386.3_2 (current merlin firmware)?
I want to use your app with NordVpn IKEv2.

Thank you in advance!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top