IPSec IKEv2 Client to VPN service

I am an absolute beginner in OpenWRT and Strongswan. I am trying to configure IPSec IKEv2 client to VPN service Perfect Privacy. Unfortunately so far without success.

My installed Strongswan packages on Asus AC56U with OpenWRT 18.06.2:

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install strongswan-default strongswan-mod-md4 strongswan-mod-openssl strongswan-mod-uci strongswan-mod-eap-mschapv2 strongswan-mod-eap-identity

root@OpenWrt:~# cat /etc/ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

conn PP-VPN
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        rekey=no
        eap_identity=username
        compress=no
        esp=aes256-sha1
        ike=aes256-sha1-ecp521
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=85.17.28.145
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=%any
        rightcert=/etc/ipsec.d/certs/perfect-privacy_ipsec_ca.pem
        type=tunnel
        auto=add

root@OpenWrt:~# cat /etc/ipsec.secrets:

# /etc/ipsec.secrets - strongSwan IPsec secrets file
username : EAP "password"

root@OpenWrt:~# cat /etc/config/firewall:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# allow incoming IPsec connections
config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-IPSec-IKE
        option src              wan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

config rule
        option name             Allow-IPSec-NAT-T
        option src              wan
        option proto            udp
        option dest_port        4500
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

root@OpenWrt:~# ipsec up PP-VPN:

initiating IKE_SA PP-VPN[1] to 85.17.28.145
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 178.202.90.17[500] to 85.17.28.145[500] (802 bytes)
received packet: from 85.17.28.145[500] to 178.202.90.17[500] (357 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
no IDi configured, fall back on IP address
establishing CHILD_SA PP-VPN{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 178.202.90.17[4500] to 85.17.28.145[4500] (577 bytes)
received packet: from 85.17.28.145[4500] to 178.202.90.17[4500] (65 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'PP-VPN' failed

I hope you can help me.

Thanks and Regards,
Bernd

Nobody an idea?

How can I register by wiki.strongswan.org? I am already waiting a week for the activation of the account.

I have now installed strongswan-full.

Configuration:

conn PP-VPN
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        rekey=no
        eap_identity="USERNAME"
        compress=no
        esp=aes256-sha1
        ike=aes256-sha1-curve25519
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=amsterdam1.perfect-privacy.com
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid="C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
        rightcert=/etc/ipsec.d/certs/perfect-privacy_ipsec_ca.pem
        type=tunnel
        auto=add

in "/etc/config/firewall" added:

config zone
	option forward REJECT
	option name vpn
	option output ACCEPT
	option network ipsec
	option input ACCEPT

config rule
	option src wan
	option proto esp
	option target ACCEPT

config rule
	option src wan
	option dest_port 500
	option proto udp
	option target ACCEPT

config rule
	option target ACCEPT
	option src wan
	option proto udp
	option dest_port 4500

config rule
	option target ACCEPT
	option src wan
	option proto ah

config forwarding
	option dest lan
	option src vpn

config forwarding
	option dest wan
	option src vpn

config forwarding
	option dest vpn
	option src lan

Here the output:

root@OpenWrt:~# ipsec up PP-VPN
initiating IKE_SA PP-VPN[1] to 85.17.28.145
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 109.91.77.56[500] to 85.17.28.145[500] (1068 bytes)
received packet: from 85.17.28.145[500] to 109.91.77.56[500] (265 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
no IDi configured, fall back on IP address
establishing CHILD_SA PP-VPN{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 109.91.77.56[4500] to 85.17.28.145[4500] (577 bytes)
received packet: from 85.17.28.145[4500] to 109.91.77.56[4500] (65 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'PP-VPN' failed

Systemlog:

authpriv.info ipsec_starter[3710]: Starting strongSwan 5.6.3 IPsec [starter]...
authpriv.info ipsec_starter[3710]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
authpriv.info ipsec_starter[3710]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
authpriv.info ipsec_starter[3740]: Starting strongSwan 5.6.3 IPsec [starter]...
authpriv.info ipsec_starter[3740]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
authpriv.info ipsec_starter[3740]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
authpriv.info ipsec_starter[3767]: Starting strongSwan 5.6.3 IPsec [starter]...
authpriv.info ipsec_starter[3767]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
authpriv.info ipsec_starter[3767]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
daemon.info procd: Instance ipsec::instance1 s in a crash loop 6 crashes, 0 seconds since last crash
daemon.info : 00[DMN] signal of type SIGINT received. Shutting down
authpriv.info ipsec_starter[3450]: charon stopped after 200 ms
authpriv.info ipsec_starter[3450]: ipsec starter stopped
authpriv.info ipsec_starter[4653]: Starting strongSwan 5.6.3 IPsec [starter]...
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.95, armv7l)
daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path
daemon.info : 00[LIB] curl SSL backend 'mbedTLS/2.16.1' not supported, https:// disabled
daemon.info : 00[CFG] disabling load-tester plugin, not configured
daemon.info : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
daemon.info : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
daemon.info : 00[CFG] attr-sql plugin: database URI not set
daemon.info : 00[NET] using forecast interface br-lan
daemon.info : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
daemon.info : 00[CFG]   loaded EAP secret for USERNAME
daemon.info : 00[CFG] sql plugin: database URI not set
daemon.info : 00[CFG] loaded 0 RADIUS server configurations
daemon.info : 00[CFG] HA config misses local/remote address
daemon.info : 00[CFG] coupling file path unspecified
daemon.info : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
daemon.info : 00[JOB] spawning 16 worker threads
authpriv.info ipsec_starter[4675]: charon (4676) started after 1140 ms
daemon.info : 06[CFG] received stroke: add connection 'PP-VPN'
daemon.info : 06[CFG]   loaded certificate "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" from '/etc/ipsec.d/certs/perfect-privacy_ipsec_ca.pem'
daemon.info : 06[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com'
daemon.info : 06[CFG] added configuration 'PP-VPN'
daemon.info : 15[CFG] received stroke: initiate 'PP-VPN'
daemon.info : 07[IKE] initiating IKE_SA PP-VPN[1] to 85.17.28.145
authpriv.info : 07[IKE] initiating IKE_SA PP-VPN[1] to 85.17.28.145
daemon.info : 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
daemon.info : 07[NET] sending packet: from 109.91.77.56[500] to 85.17.28.145[500] (1068 bytes)
daemon.info : 09[NET] received packet: from 85.17.28.145[500] to 109.91.77.56[500] (265 bytes)
daemon.info : 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
daemon.info : 09[IKE] received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
daemon.info : 09[IKE] sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
daemon.info : 09[CFG] no IDi configured, fall back on IP address
daemon.info : 09[IKE] establishing CHILD_SA PP-VPN{1}
authpriv.info : 09[IKE] establishing CHILD_SA PP-VPN{1}
daemon.info : 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
daemon.info : 09[NET] sending packet: from 109.91.77.56[4500] to 85.17.28.145[4500] (577 bytes)
daemon.info : 12[NET] received packet: from 85.17.28.145[4500] to 109.91.77.56[4500] (65 bytes)
daemon.info : 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
daemon.info : 12[IKE] received AUTHENTICATION_FAILED notify error
daemon.info : 00[DMN] signal of type SIGINT received. Shutting down
authpriv.info ipsec_starter[4675]: charon stopped after 200 ms
authpriv.info ipsec_starter[4675]: ipsec starter stopped
authpriv.info ipsec_starter[5503]: Starting strongSwan 5.6.3 IPsec [starter]...
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.95, armv7l)
daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path
daemon.info : 00[LIB] curl SSL backend 'mbedTLS/2.16.1' not supported, https:// disabled
daemon.info : 00[CFG] disabling load-tester plugin, not configured
daemon.info : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
daemon.info : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
daemon.info : 00[CFG] attr-sql plugin: database URI not set
daemon.info : 00[NET] using forecast interface br-lan
daemon.info : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
daemon.info : 00[CFG]   loaded EAP secret for USERNAME
daemon.info : 00[CFG] sql plugin: database URI not set
daemon.info : 00[CFG] loaded 0 RADIUS server configurations
daemon.info : 00[CFG] HA config misses local/remote address
daemon.info : 00[CFG] coupling file path unspecified
daemon.info : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
daemon.info : 00[JOB] spawning 16 worker threads
authpriv.info ipsec_starter[5538]: charon (5539) started after 1080 ms
daemon.info : 07[CFG] received stroke: add connection 'PP-VPN'
daemon.info : 07[CFG]   loaded certificate "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" from '/etc/ipsec.d/certs/perfect-privacy_ipsec_ca.pem'
daemon.info : 07[CFG] added configuration 'PP-VPN'
daemon.info : 09[CFG] received stroke: initiate 'PP-VPN'
daemon.info : 08[IKE] initiating IKE_SA PP-VPN[1] to 85.17.28.145
authpriv.info : 08[IKE] initiating IKE_SA PP-VPN[1] to 85.17.28.145
daemon.info : 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
daemon.info : 08[NET] sending packet: from 109.91.77.56[500] to 85.17.28.145[500] (1068 bytes)
daemon.info : 12[NET] received packet: from 85.17.28.145[500] to 109.91.77.56[500] (265 bytes)
daemon.info : 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
daemon.info : 12[IKE] received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
daemon.info : 12[IKE] sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
daemon.info : 12[CFG] no IDi configured, fall back on IP address
daemon.info : 12[IKE] establishing CHILD_SA PP-VPN{1}
authpriv.info : 12[IKE] establishing CHILD_SA PP-VPN{1}
daemon.info : 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
daemon.info : 12[NET] sending packet: from 109.91.77.56[4500] to 85.17.28.145[4500] (577 bytes)
daemon.info : 04[NET] received packet: from 85.17.28.145[4500] to 109.91.77.56[4500] (65 bytes)
daemon.info : 04[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
daemon.info : 04[IKE] received AUTHENTICATION_FAILED notify error

Maybe Systemlog is helpful.

Edit: Are these messages critical?

daemon.info : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
daemon.info : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found

Hello.

I have a similar problem, like here.

I have following error messages after IPSec IKEv2 configuration:

received netlink error: Function not implemented (38)
unable to add SAD entry with SPI cc348fee (FAILED)
received netlink error: Function not implemented (38)
unable to add SAD entry with SPI c4dd9c29 (FAILED)
unable to install inbound and outbound IPsec SA (SAD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI cc348fee

How can I check if GCM or Required Kernel Modules are enabled in OpenWRT Kernel?

My VPN provider uses these encryption algorithms:

ike=aes256gcm16-prfsha512-prfsha384-prfsha256-curve25519
esp=aes256gcm16-curve25519

But OpenWRT says: received netlink error: Function not implemented (38)

How can I enable these encryption algorithms on OpenWRT?

I can't see any Curve25519 kernel module in the openwrt package table (required for ESP). Curve25519 also doesn't seem to be merged into the vanilla Linux kernel (https://github.com/torvalds/linux).

https://openwrt.org/packages/table/start?dataflt[Name_pkg-dependencies*~]=kmod-crypto

See /proc/crypto for the crypto algorithms currently available to the kernel.
To get a list of packages with further algorithms:

opkg update
opkg list kmod-crypto-*

On OpenWrt, the kernel modules are not included with the kernel, they must be installed as separate packages which are named kmod-*. The question is which module/package is needed.

Since the Asus AC56U has fairly large flash and RAM, you could install kernel module packages liberally until the dependencies are satisfied, then try to find and remove again unneeded module packages.

Another option would be to set up strongswan on a PC, where modules usually come with the Linux kernel package. Once the tunnel is up, check the reference counters in lsmod output and in /proc/crypto to find the module names, then return to OpenWrt and install the required kernel module packages there.

There is no such kernel module because Diffie-Hellman is handled in userspace.

Does esp=aes256gcm16-curve25519 mentioned above make any sense in that case?

esp=...-curve25519 requests Elliptic Curve Diffie-Hellman to be used during the rekeying of the child SA (ESP). Rekeying is performed by the charon daemon using the IKE protocol, then the resulting key is installed into the kernel to take effect for ESP traffic.