[solved] PC can't connect to IKEv1 VPN server behind OpenWrt router

arthurire · August 19, 2022, 5:24pm

My company uses a software called Shrewsoft VPN and IKEv1 (XAuth + PSK) method to authenticate.

When I use my iPhone's hotspot or dial directly from my PC, everything works fine. However, when I dial with the openwrt router(PPPoE) and plug my pc into the lan port, the VPN software can't receive phase1 packets.

I'm using openwrt-21.02.3-x86-64 official stable build with no addtional packages or plugins. I don't know what information I need to provide, according to the existing posts on the forum, I posted the log and firewall config file.

error information on VPN software

send IKE packet MyIP:500 -> HostIP:500 ( 1211 bytes )
22/08/20 00:52:25 DB : phase1 resend event scheduled ( ref count = 2 )
22/08/20 00:52:30 -> : resend 1 phase1 packet(s) [0/2] MyIP:500 -> HostIP:500
22/08/20 00:52:35 -> : resend 1 phase1 packet(s) [1/2] MyIP:500 -> HostIP:500
22/08/20 00:52:40 -> : resend 1 phase1 packet(s) [2/2] MyIP:500 -> HostIP:500
22/08/20 00:52:45 ii : resend limit exceeded for phase1 exchange
22/08/20 00:52:45 ii : phase1 removal before expire time

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'pppoe'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

I would be grateful if someone could help me. It has been bugging me for days.

ulmwind · August 19, 2022, 7:02pm

It is very specific software, use common software like OpenVPN.

arthurire · August 20, 2022, 1:13am

Sorry but I can't choose which vpn client to use. I have OpenVPN on my computer but it's
incompatible.

patrakov · August 20, 2022, 3:12am

As a step in problem exploration, could you please insert OpenWRT between your iPhone hotspot and your PC, by pressing the Scan button in the Wireless section and joining the hotspot from OpenWRT? Does it still break the VPN?

arthurire · August 20, 2022, 3:55am

Sorry but I can't, it's a software router without wifi module.

I have an ASUS AX86U with official firmware, I can't connect to the VPN server behind this ASUS router, either.

I tried to connect my PC to the ASUS router, then use ASUS router to connect to the hotspot of my iPhone but I failed

arthurire · August 20, 2022, 4:07am

Update:

I set my ASUS AX86U router in Repeater mode, got the same error.

==================
Here's some additional information, hope it helps.

My topo:

PC - software router (Openwrt on PVE) - ISP - Company

On my router (openwrt), I tried tcpdump host HostIP, here are the results:

12:01:54.869147 IP DESKTOP.lan.500 > HostIP: isakmp: phase 1 I agg
12:01:54.920292 IP HostIP > DESKTOP.lan.500: isakmp: phase 1 R agg
12:01:59.878123 IP DESKTOP.lan.500 > HostIP: isakmp: phase 1 I agg
12:02:00.381929 IP HostIP > DESKTOP.lan.500: isakmp: phase 1 R agg
12:02:04.904907 IP DESKTOP.lan.500 > HostIP: isakmp: phase 1 I agg
12:02:05.409986 IP HostIP > DESKTOP.lan.500: isakmp: phase 1 R agg
12:02:09.915121 IP DESKTOP.lan.500 > HostIP: isakmp: phase 1 I agg
12:02:10.417833 IP HostIP > DESKTOP.lan.500: isakmp: phase 1 R agg

I also used WireShark on my PC, listening port 500:

patrakov · August 20, 2022, 4:14am

The default firewall has these rules, could you please check that they also exist in /etc/config/firewall on your router and are not disabled?

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

patrakov · August 20, 2022, 4:18am

From the WireShark screenshot, it can be seen that ISAKMP packets do arrive from the VPN server through the router to your desktop, but something on your desktop rejects them. Either you need to start the capture earlier (e.g., I don't see the initial request), or you have a misconfigured firewall on the desktop (not on the router).

patrakov · August 20, 2022, 4:33am

Another test would be to try a recent Fedora Workstation LiveUSB and try connecting to the VPN from there, using the Linux-native tools, in that case - networkmanager-openswan or (unlikely) networkmanager-vpnc. The purpose of this test is to eliminate ShrewSoft VPN client as a potential source of the problem. Both backends have graphical configuration dialogs where you can import the certificates and provide other connection settings.

Also in ShrewSoft VPN client, what's the value of the "local ID type" setting?

arthurire · August 20, 2022, 4:39am

I started Wireshark before I run this VPN clinet, that's all the package I could capture.

=====

It's Key Identifier, I tried other VPN clients but none of them provide this ID type.

arthurire · August 20, 2022, 4:41am

I have a Mac Mini and would you please tell me if there's some native tools on MacOS?

patrakov · August 20, 2022, 4:44am

I don't use MacOS, sorry. Fedora was recommended exactly because it comes with IKEv1 + XAUTH VPN client out of the box. If you need help, we can try a video call later today, but I need to visit some bureaucrats first.

If you are interested in live debugging over a video chat, drop me an email: patrakov@gmail.com.

arthurire · August 20, 2022, 4:47am

Thank you very much for your help!

I will try to configure the VPN on MacOS first, then I will find a machine to install Fedora if necessary. Have a nice day and wish you all the best!

patrakov · August 20, 2022, 4:49am

No need to install Fedora, it runs from the USB stick without touching the internal hard drive.

arthurire · August 20, 2022, 5:56am

Thank you again for helping me solving my problem, I really appreciate it.

MacOS has a native Cisco VPN client and it works well!

system · August 30, 2022, 5:56am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.