G
glsmith86
Occasional Visitor
- Feb 4, 2024
- #1
Hy All!
I have a Samsung Galaxy S22 Ultra with factory Android 14 and ASUS RT-AX56U with ASUSWRT-Merlin RT-AX56U 3004.388.6_0 firmware.
I enabled the IpSec VPN server and I can't connect to it.
ipsec.conf file:
conn %default
keyexchange=ikev1
authby=secret
ike=aes256-sha1-modp1024
#Host-to-NET[prof#0]:4>Host-to-Net>null>null>wan>>1>password>null>null>null>null>null>1>10.10.10>null>1>null>null>0>null>null>null>1>>>eap-md5>1>500>4500>10>1>null>null>null>null><<<<>1
conn Host-to-Net
keyexchange=ikev1
left=1.2.3.4
#receive web value#left=
leftsubnet=0.0.0.0/0
leftfirewall=yes
#interface=wan
leftauth=psk
right=%any
rightauth=psk
rightauth2=xauth
#sourceip_en=1
rightsourceip=10.10.10.0/24
rightdns=192.168.1.1
ike=aes256-sha1-modp1024
dpdtimeout=30s
dpdaction=clear
dpddelay=10s
auto=add
#Host-to-NET[prof#1]:4>Host-to-Netv2>null>null>wan>>0>null>null>null>null>null>null>1>10.10.10>null>2>null>null>0>@xxx.asuscomm.com>null>null>0>>>eap-mschapv2>1>500>4500>10>1>null>null>null>null><<<<>1>pubkey>svrCert.pem>always>svrKey.pem>%identity
conn Host-to-Netv2
keyexchange=ikev2
mobike=no
left=1.2.3.4
#receive web value#left=
leftsubnet=0.0.0.0/0
leftfirewall=yes
#interface=wan
leftauth=pubkey
leftid=@xxx.asuscomm.com
leftcert=svrCert.pem
#leftsendcert is the key point for iOS devices
leftsendcert=always
eap_identity=%identity
right=%any
rightauth=eap-mschapv2
#sourceip_en=1
rightsourceip=10.10.10.0/24
rightdns=192.168.1.1
ike=aes256-sha1-modp1024
dpdtimeout=30s
dpdaction=clear
dpddelay=10s
auto=add
I have try out it on LAN and WAN with RSA, PSK and MSChapV2 method, nothing is working.
R
rung
Regular Contributor
- Feb 4, 2024
- #2
I'm connecting with Android 14 without issue on stock. Only difference I see in the config files is that mine has my explict wan address instead of the asus ddns address in various locations (config file created automatically from the gui).
G
glsmith86
Occasional Visitor
- Feb 4, 2024
- #3
rung said:
I'm connecting with Android 14 without issue on stock. Only difference I see in the config files is that mine has my explict wan address instead of the asus ddns address in various locations (config file created automatically from the gui).
My ISP work with dynamic IP. I masked out my real IP in the config file. What method do you use to connect to VPN?
Last edited:
rung
Regular Contributor
- Feb 4, 2024
- #4
I just use the client built into Android. Attached is the config screen.
G
glsmith86
Occasional Visitor
- Feb 5, 2024
- #5
It doesn't seem to be running:
R
rung
Regular Contributor
- Feb 5, 2024
- #6
What does the vpn log show? Can you share a screenshot of your ipsec config page?
G
glsmith86
Occasional Visitor
- Feb 5, 2024
- #7
Vpn log:
Feb 5 16:53:08 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 4.1.52, armv7l)
Feb 5 16:53:08 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 5 16:53:08 00[CFG] loaded ca certificate "C=TW, O=ASUS, CN=ASUS RT-AX56U Root CA" from '/etc/ipsec.d/cacerts/asusCert.pem'
Feb 5 16:53:08 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 5 16:53:08 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 5 16:53:08 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 5 16:53:08 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 5 16:53:08 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 5 16:53:08 00[CFG] loaded IKE secret for %any
Feb 5 16:53:08 00[CFG] loaded EAP secret for vpnuser
Feb 5 16:53:09 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/svrKey.pem'
Feb 5 16:53:09 00[CFG] loaded EAP secret for vpnuser
Feb 5 16:53:09 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 agent xcbc cmac hmac kdf gcm drbg attr kernel-netlink socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Feb 5 16:53:09 00[JOB] spawning 8 worker threads
Feb 5 16:53:09 05[CFG] received stroke: add connection 'Host-to-Net'
Feb 5 16:53:09 05[CFG] adding virtual IP address pool 10.10.10.0/24
Feb 5 16:53:09 05[CFG] added configuration 'Host-to-Net'
Feb 5 16:53:09 07[CFG] received stroke: add connection 'Host-to-Netv2'
Feb 5 16:53:09 07[CFG] reusing virtual IP address pool 10.10.10.0/24
Feb 5 16:53:09 07[CFG] loaded certificate "C=TW, O=ASUS, CN=asdf.asuscomm.com" from 'svrCert.pem'
Feb 5 16:53:09 07[CFG] added configuration 'Host-to-Netv2'
Status of IKE charon daemon (weakSwan 5.9.8, Linux 4.1.52, armv7l):
uptime: 10 minutes, since Feb 05 16:53:09 2024
malloc: sbrk 1216512, mmap 0, used 273096, free 943416
worker threads: 3 of 8 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 agent xcbc cmac hmac kdf gcm drbg attr kernel-netlink socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/0/0
Listening IP addresses:
10.40.210.13
123.456.789.000
Connections:
Host-to-Net: 123.456.897.000...%any IKEv1, dpddelay=10s
Host-to-Net: local: [123.456.987.000] uses pre-shared key authentication
Host-to-Net: remote: uses pre-shared key authentication
Host-to-Net: remote: uses XAuth authentication: any
Host-to-Net: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=none
Host-to-Netv2: 123.456.987.000...%any IKEv2, dpddelay=10s
Host-to-Netv2: local: [asdf.asuscomm.com] uses public key authentication
Host-to-Netv2: cert: "C=TW, O=ASUS, CN=asdf.asuscomm.com"
Host-to-Netv2: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
Host-to-Netv2: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=none
Security Associations (0 up, 0 connecting):
none
Feb 5 17:06:59 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 5 17:06:59 00[DMN] Starting IKE service (strongSwan 5.9.11, Android 14 - UP1A.231005.007.S908BXXU7DXA6/2024-01-01, SM-S908B - samsung/b0sxeea/samsung, Linux 5.10.177-android12-9-27763393-abS908BXXU7DXA6, aarch64, org.strongswan.android)
Feb 5 17:06:59 00[LIB] providers loaded by OpenSSL: legacy default
Feb 5 17:06:59 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Feb 5 17:06:59 00[JOB] spawning 16 worker threads
Feb 5 17:06:59 07[IKE] initiating IKE_SA android[1] to 192.168.1.1
Feb 5 17:06:59 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 5 17:06:59 07[NET] sending packet: from 192.168.1.185[46990] to 192.168.1.1[500] (948 bytes)
Feb 5 17:07:01 08[IKE] retransmit 1 of request with message ID 0
Feb 5 17:07:01 08[NET] sending packet: from 192.168.1.185[46990] to 192.168.1.1[500] (948 bytes)
Feb 5 17:07:04 09[IKE] retransmit 2 of request with message ID 0
Feb 5 17:07:04 09[NET] sending packet: from 192.168.1.185[46990] to 192.168.1.1[500] (948 bytes)
Feb 5 17:07:09 04[IKE] retransmit 3 of request with message ID 0
Feb 5 17:07:09 04[NET] sending packet: from 192.168.1.185[46990] to 192.168.1.1[500] (948 bytes)
Feb 5 17:07:15 10[IKE] giving up after 3 retransmits
Feb 5 17:07:15 10[IKE] establishing IKE_SA failed, peer not responding
Feb 5 17:07:15 10[IKE] unable to terminate IKE_SA: ID 1 not found
Last edited:
R
rung
Regular Contributor
- Feb 5, 2024
- #8
Can you show the vpn log when you attempt to connect from outside your network (from the wan)? There should also be lots of other attempted connections from the Internet there as well (lots of uninvited folks knocking on your door).
G
glsmith86
Occasional Visitor
- Feb 5, 2024
- #9
strongSwan log when connect from outside:
Feb 5 19:16:06 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 5 19:16:06 00[DMN] Starting IKE service (strongSwan 5.9.11, Android 14 - UP1A.231005.007.S908BXXU7DXA6/2024-01-01, SM-S908B - samsung/b0sxeea/samsung, Linux 5.10.177-android12-9-27763393-abS908BXXU7DXA6, aarch64, org.strongswan.android)
Feb 5 19:16:06 00[LIB] providers loaded by OpenSSL: legacy default
Feb 5 19:16:06 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Feb 5 19:16:06 00[JOB] spawning 16 worker threads
Feb 5 19:16:06 12[IKE] initiating IKE_SA android[1] to vpn_ ip
Feb 5 19:16:06 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 5 19:16:06 12[NET] sending packet: from mobile_ip[55461] to vpn_ip[500] (948 bytes)
Feb 5 19:16:08 06[IKE] retransmit 1 of request with message ID 0
Feb 5 19:16:08 06[NET] sending packet: from mobile_ip[55461] to vpn_ip[500] (948 bytes)
Feb 5 19:16:11 07[IKE] retransmit 2 of request with message ID 0
Feb 5 19:16:11 07[NET] sending packet: from mobile_ip[55461] to vpn _p[500] (948 bytes)
Feb 5 19:16:16 08[IKE] retransmit 3 of request with message ID 0
Feb 5 19:16:16 08[NET] sending packet: from mobile_ip[55461] to vpn_ip[500] (948 bytes)
Feb 5 19:16:22 13[IKE] giving up after 3 retransmits
Feb 5 19:16:22 13[IKE] establishing IKE_SA failed, peer not responding
Feb 5 19:16:22 15[IKE] unable to terminate IKE_SA: ID 1 not found
Feb 5 19:21:48 ipsec_starter[31351]: Starting weakSwan 5.9.8 IPsec [starter]...
Feb 5 19:21:48 ipsec_starter[31351]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Feb 5 19:21:48 ipsec_starter[31351]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Feb 5 19:21:48 06[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 5 19:21:48 06[CFG] loaded IKE secret for %any
Feb 5 19:21:48 06[CFG] loaded EAP secret for vpnuser
Feb 5 19:21:49 06[CFG] loaded RSA private key from '/etc/ipsec.d/private/svrKey.pem'
Feb 5 19:21:49 06[CFG] loaded EAP secret for vpnuser
Feb 5 19:21:49 06[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts'
Feb 5 19:21:49 06[CFG] loaded ca certificate "C=TW, O=ASUS, CN=ASUS RT-AX56U Root CA" from '/etc/ipsec.d/cacerts/asusCert.pem'
Feb 5 19:21:49 06[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts'
Feb 5 19:21:49 06[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 5 19:21:49 06[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts'
Feb 5 19:21:49 06[CFG] rereading crls from '/etc/ipsec.d/crls'
Feb 5 19:21:50 07[CFG] received stroke: delete connection 'Host-to-Net'
Feb 5 19:21:50 07[CFG] deleted connection 'Host-to-Net'
Feb 5 19:21:50 05[CFG] received stroke: delete connection 'Host-to-Netv2'
Feb 5 19:21:50 05[CFG] deleted connection 'Host-to-Netv2'
Feb 5 19:21:50 07[CFG] received stroke: add connection 'Host-to-Net'
Feb 5 19:21:50 07[CFG] reusing virtual IP address pool 10.10.10.0/24
Feb 5 19:21:50 07[CFG] added configuration 'Host-to-Net'
Feb 5 19:21:50 06[CFG] received stroke: add connection 'Host-to-Netv2'
Feb 5 19:21:50 06[CFG] reusing virtual IP address pool 10.10.10.0/24
Feb 5 19:21:50 06[CFG] loaded certificate "C=TW, O=ASUS, CN=asdf.asuscomm.com" from 'svrCert.pem'
Feb 5 19:21:50 06[CFG] added configuration 'Host-to-Netv2'
G
glsmith86
Occasional Visitor
- Feb 6, 2024
- #11
I change loglevel for charon daemon, This is the first problem:
Feb 6 15:35:22 03[NET] received packet: from mobile_wan_ipv4[36640] to 192.168.1.1[500]
Feb 6 15:35:22 03[NET] received packet from mobile_wan_ipv4[36640] to 192.168.1.1[500] on ignored interface
After this I removed br0 from ignored interfaces. Second problem:
Feb 6 15:38:29 03[CFG] looking for an IKEv2 config for 192.168.1.1...mobile_wan_ipv4
Feb 6 15:38:29 03[CFG] ike config match: 0 (wan_ipv4...%any IKEv1)
Feb 6 15:38:29 03[CFG] ike config match: 0 (wan_ipv4...%any IKEv2)
Feb 6 15:38:29 03[CFG] ike config match: 0 (wan_ipv4...%any IKEv2)
Feb 6 15:38:29 03[IKE] no IKE config found for 192.168.1.1...mobile_wan_ipv4, sending NO_PROPOSAL_CHOSEN
Feb 6 15:38:29 03[ENC] added payload of type NOTIFY to message
Feb 6 15:38:29 03[ENC] order payloads in message
Feb 6 15:38:29 03[ENC] added payload of type NOTIFY to message
Feb 6 15:38:29 03[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
I hva make many searching on Google, but I don't find solution for this problem.
sfx2000
Part of the Furniture
- Feb 6, 2024
- #12
glsmith86 said:
MSChapV2
MSChapV2 has been deprecated for years as it's rather insecure..
G
glsmith86
Occasional Visitor
- Feb 6, 2024
- #13
sfx2000 said:
MSChapV2 has been deprecated for years as it's rather insecure..
I have 3 options for IPSec on my phone. MSChapV2, psk and rsa. Which is the better?
You must log in or register to reply here.