Can't connect to Microsoft AOVPN when laptop is connected to OpenWrt router

Installing and Using OpenWrt
1

Hey all!
I have been using OpenWrt for a few months now on my PC Engines apu2 based router. And almost everything worked perfectly out of the box! The only thing I can't get working is the "AOVPN" connection from my company laptop to my company network.

The thing is I tried to connect an old DD-WRT based router and then the VPN connection work fine. Also with a phone wifi hotspot it works.

The router is connected to a modem in "bridge" mode. It gets an external ipv4 address and performs ipv6 with prefix delegation and slaac.

The VPN is based on Always On VPN with the built in windows client. It tries the following strategies:
VpnStrategy = IKEv2 , SSTP , PPTP then L2TP

The connection always fails with the same error:
The user SYSTEM dialed a connection named AO VPN DeviceTunnel which has failed. The error code returned on failure is 809.

Router info:
|Hostname|router|
|Model|PC Engines apu2|
|Architecture|AMD GX-412TC SOC|
|Firmware Version|OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.295.67054-13df80d|
|Kernel Version|5.4.154|

It seems to be related to traffic over port 500.
Wireshark dump when working:

306	9.743769	x.x.x.x	y.y.y.y	ISAKMP	566	IKE_SA_INIT MID=00 Initiator Request
307	9.750829	y.y.y.y	x.x.x.x	ESP	1490	ESP (SPI=0x38849414)
308	9.751042	y.y.y.y	x.x.x.x	ESP	1490	ESP (SPI=0x38849414)
309	9.751603	y.y.y.y	x.x.x.x	ESP	1490	ESP (SPI=0x38849414)
310	9.751603	y.y.y.y	x.x.x.x	ESP	226	ESP (SPI=0x38849414)
311	9.798604	y.y.y.y	x.x.x.x	ISAKMP	567	IKE_SA_INIT MID=00 Responder Response
312	9.806372	x.x.x.x	y.y.y.y	ISAKMP	622	CREATE_CHILD_SA MID=02 Initiator Request
313	9.815028	x.x.x.x	y.y.y.y	ISAKMP	626	IKE_AUTH MID=01 Initiator Request (fragment 1/4)
314	9.815098	x.x.x.x	y.y.y.y	ISAKMP	626	IKE_AUTH MID=01 Initiator Request (fragment 2/4)
315	9.815146	x.x.x.x	y.y.y.y	ISAKMP	626	IKE_AUTH MID=01 Initiator Request (fragment 3/4)
316	9.815187	x.x.x.x	y.y.y.y	ISAKMP	466	IKE_AUTH MID=01 Initiator Request (fragment 4/4)
317	9.855638	y.y.y.y	x.x.x.x	ISAKMP	622	CREATE_CHILD_SA MID=02 Responder Response
318	9.859813	x.x.x.x	y.y.y.y	ESP	1490	ESP (SPI=0x7b2f77ca)
319	9.878986	y.y.y.y	x.x.x.x	ISAKMP	626	IKE_AUTH MID=01 Responder Response (fragment 1/4)
320	9.879080	y.y.y.y	x.x.x.x	ISAKMP	626	IKE_AUTH MID=01 Responder Response (fragment 2/4)
321	9.879275	y.y.y.y	x.x.x.x	ISAKMP	626	IKE_AUTH MID=01 Responder Response (fragment 3/4)
322	9.879275	y.y.y.y	x.x.x.x	ISAKMP	322	IKE_AUTH MID=01 Responder Response (fragment 4/4)
323	9.907436	y.y.y.y	x.x.x.x	ESP	146	ESP (SPI=0xb4739876)
324	9.939805	x.x.x.x	y.y.y.y	ISAKMP	158	IKE_AUTH MID=02 Initiator Request
325	9.996469	y.y.y.y	x.x.x.x	ISAKMP	126	IKE_AUTH MID=02 Responder Response
326	9.998455	x.x.x.x	y.y.y.y	ISAKMP	302	IKE_AUTH MID=03 Initiator Request
327	10.009664	y.y.y.y	x.x.x.x	ESP	1490	ESP (SPI=0xb4739876)
328	10.009937	x.x.x.x	y.y.y.y	ESP	146	ESP (SPI=0x7b2f77ca)
329	10.048404	y.y.y.y	x.x.x.x	ISAKMP	626	IKE_AUTH MID=03 Responder Response (fragment 1/3)
330	10.048513	y.y.y.y	x.x.x.x	ISAKMP	626	IKE_AUTH MID=03 Responder Response (fragment 2/3)
331	10.048609	y.y.y.y	x.x.x.x	ISAKMP	530	IKE_AUTH MID=03 Responder Response (fragment 3/3)
332	10.050480	x.x.x.x	y.y.y.y	ISAKMP	126	IKE_AUTH MID=04 Initiator Request

I have removed the destination ip address since it's the company's server. All white areas show the same ip. The initial "IKE_SA_INIT" message goed over port 500.

Wireshark dump when connected to openwrt:

199	10.466586	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
207	11.475319	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
332	12.487217	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
505	16.905748	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
509	17.914752	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
513	18.915777	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
596	23.212590	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
599	24.214199	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
613	25.217870	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
638	27.093529	x.x.x.x	y.y.y.y	UDPENCAP	43	NAT-keepalive
763	46.095809	x.x.x.x	y.y.y.y	UDPENCAP	43	NAT-keepalive
880	65.105346	x.x.x.x	y.y.y.y	UDPENCAP	43	NAT-keepalive
1013	74.645362	x.x.x.x	y.y.y.y	ISAKMP	126	INFORMATIONAL MID=13 Initiator Request
1270	84.108276	x.x.x.x	y.y.y.y	UDPENCAP	43	NAT-keepalive
2011	103.109724	x.x.x.x	y.y.y.y	UDPENCAP	43	NAT-keepalive
2281	122.112494	x.x.x.x	y.y.y.y	UDPENCAP	43	NAT-keepalive
2848	141.120201	x.x.x.x	y.y.y.y	UDPENCAP	43	NAT-keepalive
2935	148.658359	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
2943	149.659420	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
2949	150.663477	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
3035	154.974540	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
3041	155.986673	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
3050	156.993940	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
3113	160.128933	x.x.x.x	y.y.y.y	UDPENCAP	43	NAT-keepalive
3125	161.318080	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
3154	162.321475	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request
3159	163.325411	x.x.x.x	y.y.y.y	ISAKMP	586	IKE_SA_INIT MID=00 Initiator Request

As you can see there is not response to the request.

The first thing I thought firewall, but there is a rule for port 500:

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Also I read about NAT-T so I added a rule for port 4500:

config rule
        option name 'Allow-IKEv2'
        list proto 'udp'
        option src 'wan'
        option dest 'lan'
        option dest_port '4500'
        option target 'ACCEPT'

This is a tcp dump for packets using port 500 on the WAN device of the router:

root@router:~# tcpdump -i eth0 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:42:37.220554 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:42:38.226161 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:42:39.228298 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:43:12.680823 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:43:13.682717 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:43:14.684892 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:44:00.229316 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 256
13:44:01.239849 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 256
13:44:02.243529 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 256
13:44:05.249838 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 256
13:52:31.006842 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:32.012716 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:33.012383 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:36.328152 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:37.265658 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:38.274792 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:42.054833 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:43.060575 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544
13:52:44.060325 IP x-x-x-x.cable.dynamic.v4.ziggo.nl.500 > y-y-y-y.static.lyse.net.500: UDP, length 544

Again only the request, no response. My ISP is Ziggo. x-x-x-x is client ip. y-y-y-y is server ip

Other things I have tried:

  • Disabled drop invalid packets
  • Tried software flow offloading
  • Disables syn-flood pretection
  • Disabling ipv6 on router (removed WAN6 interface)
  • Disabled ipv6 on client interface
  • Force NAT-T in windows registry
  • Revert to clean installation of OpenWrt

I almost spend 2 days with our company's IT departement but they can not help me. They have +/- 800 users where it just works. I'm out of ideas..

Sorry for the long post. As a new user I can't post screenshots

Thanks in advance!

2

Can anyone help me with this?

3

Can't reproduce it, using it to connect to my customer, works like a charm on x86_64 21.02.2.

4

Thanks for the reply, do you use ipv6?

5

Not on my LAN, but the laptop could use one anyway...