Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

IPSEC and IOS

Discussion in 'ASUSWRT - Official' started by rbdan, Feb 13, 2018.

  1. rbdan

    rbdan Occasional Visitor

    Joined:
    Jan 25, 2016
    Messages:
    38
    Hey guys,

    I tried to simply turned on the IPSEC server, add a Pre-shared Key, user name and password. Then I configured my IOS devices with the same info and it fails with “negotiation with the vpn server failed”.

    I can watch the client on the server “Connecting...” but it never connects.

    Any ideas?

    Thanks!
    Dan
     
  2. arthurlien

    arthurlien Senior Member

    Joined:
    Jul 29, 2014
    Messages:
    354
  3. rbdan

    rbdan Occasional Visitor

    Joined:
    Jan 25, 2016
    Messages:
    38
    Yep, that is the step by step guide I used. It’s pretty straight forward.

    Isn’t OpenVPN a better solution than IPSEC?

    Thanks for the reply!
    Dan
     
  4. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,894
    Location:
    Canada
    OpenVPN is more flexible, but IPSEC is usually faster, and often doesn't require any third party client software.
     
  5. arthurlien

    arthurlien Senior Member

    Joined:
    Jul 29, 2014
    Messages:
    354
    Please double check your password first. The function is working on our lab.

    我從使用 Tapatalk 的 ASUS_Z012DA 發送
     
  6. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,894
    Location:
    Canada
    Also, make sure the preshared key isn't too long. Asus recently fixed a bug with preshared keys that were too long.

     
  7. rbdan

    rbdan Occasional Visitor

    Joined:
    Jan 25, 2016
    Messages:
    38
    Hey Merlin,

    Thanks for the reply. In testing, I am only using 9 characters.

    Stupid question: Are special characters okay?

    Can anyone think of anything I am missing? The setup is so simple, I can’t think of why it wouldn’t work.

    Is anyone else using the IPSec server with IOS devices?

    Thanks again,
    Dan
     
  8. arthurlien

    arthurlien Senior Member

    Joined:
    Jul 29, 2014
    Messages:
    354
    We tested with iPhone.

    我從使用 Tapatalk 的 ASUS_Z012DA 發送
     
  9. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,894
    Location:
    Canada
    Unsure about special characters, but generally asuswrt is very fragile to these, best to avoid using them when in doubt.

    Sent from my P027 using Tapatalk
     
  10. XIII

    XIII Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    348
    Is this only available in stock firmware or certain models?

    (I only see PPTP and OpenVPN in Asuswrt-Merlin 384.4 Beta 3 on my RT-AC86U)
     
  11. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,894
    Location:
    Canada
    Only on certain models. It's still a work-in-progress by Asus, and I can't enable it on all models due to kernel conflicts it causes for some platforms.
     
  12. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    12,081
    Location:
    San Diego, CA
    If you're asking, you likely are :D

    Keep it simple - A-Z, a-z, 0-9
     
  13. Odkrys

    Odkrys Regular Contributor

    Joined:
    Jul 28, 2016
    Messages:
    145
    I tested IPSec on my RT-AC86U with android phone.
    It was little strange, IPSec didn't work when used only stock firmware build option or only Merlin firmware option.
    It worked when it built using stock firmware openssl hostconfig option (no-engine -Os) + Merlin firmware makefile. (-disable-static)
    I don't know how it works on GT-AC5300 with static build.
    Anyway, so Tor can't be used with IPSec.

    IPSec speed was similar with Openvpn (150mbps~200mbps). not much difference.
    But there is certain advantage, yeah it's built-in :D
     
  14. XIII

    XIII Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    348
    Apparently not on the 86U and 68U I have access to (still need to flash an AC56U).

    Which models do support it currently?
     
  15. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,894
    Location:
    Canada
    BRT-AC828, RT-AC88U, RT-AC3100 and RT-AC5300.

    Asus plans to add other models in the future. No definitive list yet.
     
  16. XIII

    XIII Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    348
    Thanks.

    I have access to three different models, but none of these... I'll have to wait a bit to play with this.
     
  17. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,894
    Location:
    Canada
    The RT-AC86U is highly likely to get it (I've done a few experiments myself on that front, will possibly have to remote Tor from that model due to conflicting settings).

    I would expect the RT-AC68U to eventually get it, but it will have to come from Asus since the kernel-level changes required are incompatible with the current precompiled kernel modules. No idea what their plans are for that model.
     
    XIII likes this.
  18. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,894
    Location:
    Canada
    I think there's a bug in the firmware code, the config files are not generated when you enable IPSEC - you must reboot for the config files to get copied from /usr/etc/* to /etc/ .


    @arthurlien : start_services() should probably call rc_ipsec_config_init() regardless of whether ipsec is enabled or not, otherwise the config files will be missing if the end user enables IPSEC without rebooting, and charon will fail to start.
    Nevermind, seems like it's already fixed in newer GPL code. I thought it was why the OP couldn't get IPSEC to work.
     
    Last edited: Feb 19, 2018 at 1:34 AM
  19. Odkrys

    Odkrys Regular Contributor

    Joined:
    Jul 28, 2016
    Messages:
    145
    I think he already noticed it. gt-ac5300 code.

    Code:
    #if defined(RTCONFIG_IPSEC)
    	//if(nvram_get_int("ipsec_server_enable") || nvram_get_int("ipsec_client_enable"))
    	rc_ipsec_nvram_convert_check();
    
    	rc_ipsec_config_init();
    
    One more bug. If I turn on ipsec, system log appear twice in browser.
    Without ipsec, it was normal.
     
  20. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    25,894
    Location:
    Canada
    Which GPL version are you checking? That code didn't seem to be commented out in 384_20379 (the latest I've got).
     

Share This Page