Freewill0592
New Around Here
Hello.
After long time I have finally made work IPsec Site to site VPN between my Debian server with public IP and Sophos firewall.
Now I am trying to do same between my server and Asus RT-AC88U what has installed AsusWRT merlin on it.
Not sure if I can post here or should post in the WRT section of the forum?
I have established the VPN tunnel sucesfully but I Cannot ping anything on other side.when I check routes, none are added.
And the script what works for Sophos<>Debian connection is not creating the VTI interface for this tunnel neither on Debian server.
The script does not seem to work on Asus WRT, even when I replaced those PLUTO variables with correct values.
It is complaining that it does not know what is" add tunnel "ip_vti0" failed: No such device" I assume the Asus WRT does not have VTI package?
This I get when I try to add the VTI interface...
Or how I can set up routing using just the Ipsec.conf what appears to work just fine?
And This is on the Asus Router as script what will replace the ipsec.conf file when router starts.
Also on both of the endpoints, server and router I have added to /etc/strongswan.d/charon.conf
install_routes = no
install_virtual_ip = no
as it did not add any routes anyway, before it used the default "yes".
This is output when it connects:
I want to be able to access internal local IP addresses from network behind Asus router what is on the Debian server - there are some docker networks.
I use it for DNS and occasionally to access internet from not my home network via proxy.
After long time I have finally made work IPsec Site to site VPN between my Debian server with public IP and Sophos firewall.
Now I am trying to do same between my server and Asus RT-AC88U what has installed AsusWRT merlin on it.
Not sure if I can post here or should post in the WRT section of the forum?
I have established the VPN tunnel sucesfully but I Cannot ping anything on other side.when I check routes, none are added.
And the script what works for Sophos<>Debian connection is not creating the VTI interface for this tunnel neither on Debian server.
The script does not seem to work on Asus WRT, even when I replaced those PLUTO variables with correct values.
It is complaining that it does not know what is" add tunnel "ip_vti0" failed: No such device" I assume the Asus WRT does not have VTI package?
This I get when I try to add the VTI interface...
Bash:
Freewill@asus:/jffs/scripts# ip link add vti1 type vti
RTNETLINK answers: Operation not supported
Freewill@asus:/jffs/scripts# ip tunnel add vti0 mode vti
add tunnel "ip_vti0" failed: No such device
Freewill@asus:/jffs/scripts# ip tunnel add vti0 mode vti 172.29.29.5 172.29.29.6
Error: either "name" is duplicate, or "172.29.29.5" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add vti1 mode vti 172.29.29.5 172.29.29.6
Error: either "name" is duplicate, or "172.29.29.5" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add vti1 mode vti "172.29.29.5" "172.29.29.6"
Error: either "name" is duplicate, or "172.29.29.5" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add name vti1 mode vti "172.29.29.5" "172.29.29.6"
Error: either "name" is duplicate, or "172.29.29.5" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add name vti1 type vti 172.29.29.5 172.29.29.6
Error: either "name" is duplicate, or "type" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add name vti1 type vti key 43 172.29.29.5 172.29.29.6
Error: either "name" is duplicate, or "type" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add name vti1 type vti key 43 remote 172.29.29.5 local 172.29.29.6
Error: either "name" is duplicate, or "type" is a garbage.
Freewill@asus:/jffs/scripts# ip tunnel add vti1 type vti key 43 remote 172.29.29.5 local 172.29.29.6
Error: either "name" is duplicate, or "type" is a garbage.
Or how I can set up routing using just the Ipsec.conf what appears to work just fine?
YAML:
# This is config on Debian Server:
# /etc/ipsec.conf
config setup
charondebug="ike 0, knl 0, cfg 0, net 0, esp 0, dmn 0, mgr 0"
conn AsusToUKsrv
authby=psk
leftupdown=/usr/local/sbin/ipsec-notify_asus.sh
keyexchange=ikev2
#type=tunnel - does not seem to work with or without this
left=<MY PUBLIC IP ON SERVER>
leftsubnet=10.98.195.0/24
leftid="10.98.195.1"
right=%any
rightsubnet=10.99.195.0/24
rightid="10.99.195.254"
rightcert=never
mark_in=43
mark_out=43
ike=aes256-sha256-modp2048
dpdtimeout=30s
dpdaction=clear
dpddelay=10s
auto=start
# -----------------------------------------
# /usr/local/sbin/ipsec-notify_asus.sh
#!/bin/bash
set -o nounset
set -o errexit
#VTI_IF="vti${PLUTO_UNIQUEID}"
VTI_IF="vti5"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_IF}" mode vti \
local "${PLUTO_ME}" remote "${PLUTO_PEER}" \
okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_IF}" up
# Here goes virtual IP for the interface, other ip will need to be on other side f.e. Sophos tunnel
ip addr add 172.29.29.5/30 dev "${VTI_IF}"
# Here add route or routes to other network
ip route add 10.99.195.0/24 dev "${VTI_IF}"
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
sysctl -w "net.ipv4.conf.${VTI_IF}.rp_filter=0"
sysctl -w "net.ipv4.conf.all.rp_filter=0"
;;
down-client)
ip tunnel del "${VTI_IF}"
# This will delete the higher added route
ip route del 10.99.195.0/24 dev "${VTI_IF}"
;;
esac
YAML:
# /etc/ipsec.conf - on Asus router
config setup
charondebug="ike 0, knl 0, cfg 0, net 0, esp 0, dmn 0, mgr 0"
conn AsusToUKsrv
authby=psk
leftupdown=/opt/ipsec-notify_asus.sh
keyexchange=ikev2
#type=tunnel - does not seem to work with or without this
right=77.68.115.227
rightsubnet=10.98.195.0/24
rightid="10.98.195.1"
left=%defaultroute
leftsubnet=10.99.195.0/24
leftid="10.99.195.254"
leftcert=never
mark_in=43
mark_out=43
ike=aes256-sha256-modp2048
dpdtimeout=30s
dpdaction=clear
dpddelay=10s
auto=start
# Script for adding interface when tunnel is created: /opt/ipsec-notify_asus.sh
#!/bin/bash
# it does not want to add this tunnel when i just run the script
ip tunnel add vti5" mode vti local 172.29.29.6 remote 172.29.29.5 okey 43 ikey 43
ip link set vti5 up
ip addr add 172.29.29.6/30 dev vti5
ip route add 10.99.195.0/24 dev vti5
# do not remember the path to the file so i used ...
echo 1 > /proc/..../net.ipv4.conf.vti5.disable_policy
echo 0 > /proc/..../net.ipv4.conf.vti5.rp_filter
echo 0 >/proc/..../net.ipv4.conf.all.rp_filter
Also on both of the endpoints, server and router I have added to /etc/strongswan.d/charon.conf
install_routes = no
install_virtual_ip = no
as it did not add any routes anyway, before it used the default "yes".
This is output when it connects:
Bash:
initiating IKE_SA asusuk[7] to SERVERIP
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
sending packet: from 192.168.1.115[500] to SERVERIP[500] (1228 bytes)
received packet: from SERVERIP[500] to 192.168.1.115[500] (472 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
sending cert request for "C=TW, O=ASUS, CN=ASUS asus Root CA"
authentication of '10.99.195.254' (myself) with pre-shared key
establishing CHILD_SA asusuk{8}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.115[4500] to SERVERIP[4500] (416 bytes)
received packet: from SERVERIP[4500] to 192.168.1.115[4500] (304 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of '10.98.195.1' with pre-shared key successful
received AUTH_LIFETIME of 10166s, scheduling reauthentication in 9626s
peer supports MOBIKE
IKE_SA asusuk[7] established between 192.168.1.115[10.99.195.254]...SERVERIP[10.98.195.1]
reauthentication already scheduled in 9626s
maximum IKE_SA lifetime 10166s
selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA asusuk{8} established with SPIs c6133650_i cdf4775e_o and TS 10.99.195.0/24 === 10.98.195.0/24
connection 'asusuk' established successfully
I want to be able to access internal local IP addresses from network behind Asus router what is on the Debian server - there are some docker networks.
I use it for DNS and occasionally to access internet from not my home network via proxy.
Last edited: