Hey all!
I have been using OpenWrt for a few months now on my PC Engines apu2 based router. And almost everything worked perfectly out of the box! The only thing I can't get working is the "AOVPN" connection from my company laptop to my company network.
The thing is I tried to connect an old DD-WRT based router and then the VPN connection work fine. Also with a phone wifi hotspot it works.
The router is connected to a modem in "bridge" mode. It gets an external ipv4 address and performs ipv6 with prefix delegation and slaac.
The VPN is based on Always On VPN with the built in windows client. It tries the following strategies:
VpnStrategy = IKEv2 , SSTP , PPTP then L2TP
The connection always fails with the same error:
The user SYSTEM dialed a connection named AO VPN DeviceTunnel which has failed. The error code returned on failure is 809.
Router info:
|Hostname|router|
|Model|PC Engines apu2|
|Architecture|AMD GX-412TC SOC|
|Firmware Version|OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.295.67054-13df80d|
|Kernel Version|5.4.154|
It seems to be related to traffic over port 500.
Wireshark dump when working:
306 9.743769 x.x.x.x y.y.y.y ISAKMP 566 IKE_SA_INIT MID=00 Initiator Request
307 9.750829 y.y.y.y x.x.x.x ESP 1490 ESP (SPI=0x38849414)
308 9.751042 y.y.y.y x.x.x.x ESP 1490 ESP (SPI=0x38849414)
309 9.751603 y.y.y.y x.x.x.x ESP 1490 ESP (SPI=0x38849414)
310 9.751603 y.y.y.y x.x.x.x ESP 226 ESP (SPI=0x38849414)
311 9.798604 y.y.y.y x.x.x.x ISAKMP 567 IKE_SA_INIT MID=00 Responder Response
312 9.806372 x.x.x.x y.y.y.y ISAKMP 622 CREATE_CHILD_SA MID=02 Initiator Request
313 9.815028 x.x.x.x y.y.y.y ISAKMP 626 IKE_AUTH MID=01 Initiator Request (fragment 1/4)
314 9.815098 x.x.x.x y.y.y.y ISAKMP 626 IKE_AUTH MID=01 Initiator Request (fragment 2/4)
315 9.815146 x.x.x.x y.y.y.y ISAKMP 626 IKE_AUTH MID=01 Initiator Request (fragment 3/4)
316 9.815187 x.x.x.x y.y.y.y ISAKMP 466 IKE_AUTH MID=01 Initiator Request (fragment 4/4)
317 9.855638 y.y.y.y x.x.x.x ISAKMP 622 CREATE_CHILD_SA MID=02 Responder Response
318 9.859813 x.x.x.x y.y.y.y ESP 1490 ESP (SPI=0x7b2f77ca)
319 9.878986 y.y.y.y x.x.x.x ISAKMP 626 IKE_AUTH MID=01 Responder Response (fragment 1/4)
320 9.879080 y.y.y.y x.x.x.x ISAKMP 626 IKE_AUTH MID=01 Responder Response (fragment 2/4)
321 9.879275 y.y.y.y x.x.x.x ISAKMP 626 IKE_AUTH MID=01 Responder Response (fragment 3/4)
322 9.879275 y.y.y.y x.x.x.x ISAKMP 322 IKE_AUTH MID=01 Responder Response (fragment 4/4)
323 9.907436 y.y.y.y x.x.x.x ESP 146 ESP (SPI=0xb4739876)
324 9.939805 x.x.x.x y.y.y.y ISAKMP 158 IKE_AUTH MID=02 Initiator Request
325 9.996469 y.y.y.y x.x.x.x ISAKMP 126 IKE_AUTH MID=02 Responder Response
326 9.998455 x.x.x.x y.y.y.y ISAKMP 302 IKE_AUTH MID=03 Initiator Request
327 10.009664 y.y.y.y x.x.x.x ESP 1490 ESP (SPI=0xb4739876)
328 10.009937 x.x.x.x y.y.y.y ESP 146 ESP (SPI=0x7b2f77ca)
329 10.048404 y.y.y.y x.x.x.x ISAKMP 626 IKE_AUTH MID=03 Responder Response (fragment 1/3)
330 10.048513 y.y.y.y x.x.x.x ISAKMP 626 IKE_AUTH MID=03 Responder Response (fragment 2/3)
331 10.048609 y.y.y.y x.x.x.x ISAKMP 530 IKE_AUTH MID=03 Responder Response (fragment 3/3)
332 10.050480 x.x.x.x y.y.y.y ISAKMP 126 IKE_AUTH MID=04 Initiator Request
I have removed the destination ip address since it's the company's server. All white areas show the same ip. The initial "IKE_SA_INIT" message goed over port 500.
Wireshark dump when connected to openwrt:
199 10.466586 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
207 11.475319 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
332 12.487217 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
505 16.905748 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
509 17.914752 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
513 18.915777 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
596 23.212590 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
599 24.214199 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
613 25.217870 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
638 27.093529 x.x.x.x y.y.y.y UDPENCAP 43 NAT-keepalive
763 46.095809 x.x.x.x y.y.y.y UDPENCAP 43 NAT-keepalive
880 65.105346 x.x.x.x y.y.y.y UDPENCAP 43 NAT-keepalive
1013 74.645362 x.x.x.x y.y.y.y ISAKMP 126 INFORMATIONAL MID=13 Initiator Request
1270 84.108276 x.x.x.x y.y.y.y UDPENCAP 43 NAT-keepalive
2011 103.109724 x.x.x.x y.y.y.y UDPENCAP 43 NAT-keepalive
2281 122.112494 x.x.x.x y.y.y.y UDPENCAP 43 NAT-keepalive
2848 141.120201 x.x.x.x y.y.y.y UDPENCAP 43 NAT-keepalive
2935 148.658359 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
2943 149.659420 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
2949 150.663477 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
3035 154.974540 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
3041 155.986673 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
3050 156.993940 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
3113 160.128933 x.x.x.x y.y.y.y UDPENCAP 43 NAT-keepalive
3125 161.318080 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
3154 162.321475 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
3159 163.325411 x.x.x.x y.y.y.y ISAKMP 586 IKE_SA_INIT MID=00 Initiator Request
As you can see there is not response to the request.
The first thing I thought firewall, but there is a rule for port 500:
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Also I read about NAT-T so I added a rule for port 4500:
config rule
option name 'Allow-IKEv2'
list proto 'udp'
option src 'wan'
option dest 'lan'
option dest_port '4500'
option target 'ACCEPT'
This is a tcp dump for packets using port 500 on the WAN device of the router:
root@router:~# tcpdump -i eth0 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:42:37.220554 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:42:38.226161 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:42:39.228298 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:43:12.680823 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:43:13.682717 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:43:14.684892 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:44:00.229316 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 256
13:44:01.239849 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 256
13:44:02.243529 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 256
13:44:05.249838 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 256
13:52:31.006842 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:32.012716 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:33.012383 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:36.328152 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:37.265658 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:38.274792 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:42.054833 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:43.060575 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:44.060325 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
Again only the request, no response. My ISP is Ziggo. x-x-x-x is client ip. y-y-y-y is server ip
Other things I have tried:
- Disabled drop invalid packets
- Tried software flow offloading
- Disables syn-flood pretection
- Disabling ipv6 on router (removed WAN6 interface)
- Disabled ipv6 on client interface
- Force NAT-T in windows registry
- Revert to clean installation of OpenWrt
I almost spend 2 days with our company's IT departement but they can not help me. They have +/- 800 users where it just works. I'm out of ideas..
Sorry for the long post. As a new user I can't post screenshots
Thanks in advance!