Ive been looking forward to new features as the route10 progresses. Unfortunately the vpns and lack of documentation make it difficult to enjoy these features the team works hard on.
L2TP was simple but required that EAP be turned off/not allowed. PAP, CHAP, MS-CHAP v2 did not give any issues. This works for windows, Linux, and supposedly iPhone. Android hasn’t supported L2TP on android 13 and 14.
IKEv2, I haven’t been able to pinpoint why it is not working. Or if some configuration changes off of defaults is needed. The ddns name was also introduced same update. Oddly placed, and I can’t read the whole thing. It gets cut off.
I greatly appreciate any documentation provided.
IKEv2
I get alot of policy mismatch errors, I tried all of these EAP auth types and also the one under it, use machine certs.
I self sabotaged alittle bit there. I put it back to L2TP after my last bit of testing on linux. Windows 11 works with the defaults. EAP auth method PEAP.
Currently still testing ikev2 on linux and android.
Linux, I am getting “no trusted rsa public key found”
Could you show some more of your work on the Linux and Android side? Are you using any particular clients or distros or roms or anything?
For the linux testing I am using Zorin OS. distro based on ubuntu. for both VPNs ive had to download new packages . for the IKEv2 the package was strongswan. These are the settings ive tried.
Ive tried using the public instead of DDNS. Ive tried using full ddns for identity in both spots. ive used the first part of the ddns name in both spots. left one or the other empty. used the public in all the spots. tried using different IPsec IDs.
The error I get everytime is [No trusted RSA public key found]
In windows 11, once we got the settings dialed in, it asked if we wanted to trust the server and download the certs. the linux pc and android both do not have that popup
For android 14 there are three vpn options to choose from that are natively supported. IKEv2/IPSec MSCHAPv2, IKEv2/IPSec PSK, IKEv2 RSA. Ive only really tried the first one. the others dont seem to fit the idea. Ive also tried variations of public ip, ddns, and different ipsec ids where applicable. I cant get to the android logs to check the fails there.
Which Android device are you using? With my Galaxy S24 Ultra, I can connect without issue. By default it choses not to validate the IPSec CA cert, but if you prefer to validate the cert you can manually install the root CA cert which is used to sign the IKEv2 cert on the Route10.
Here’s the direct link to the .pem
: https://letsencrypt.org/certs/isrgrootx1.pem. Install it as a CA cert, from Settings>Security & Privacy>More security settings>Credential storage>Install from device storage (or similar, this is the location on my device).
As we don’t yet support custom certs, I leave IPSec ID blank on Route10 settings, which means I use the DDNS hostname for both server address and IPSec ID. IKEv2/IPSec MSCHAPv2 is the correct type.
I’m just spinning up a Ubuntu VM, but I’m pretty sure the packages needed there are strongswan network-manager-strongswan libcharon-extra-plugins
, I’ll follow up about Linux, but if it needs to verify the cert, then the same cert as above should satisfy that purpose there, too.
For android I have a Nothing Phone 1 running Android 14. my defaults also show to not validate. Ive installed it and replicated mine to look like your settings. I am still getting unsuccessful. Ill try Zorin after lunch.
Here are the settings that work for me on Ubuntu:
There are no other non-default settings.
Here’s how it’s configured on my Route10:
Now, this shouldn’t matter, but what is your WAN type? The one I’m testing with is straight DHCP, but my other WAN is PPPoE (so I can retest there if needed).
Oddly part of my network went down while I was testing. rebooted and everything was fine. Linux works with the same settings you provided with the same cert. Unfortunately android still wont connect. My wan is a coax modem, Public IP is dhcp. I do love the addition of the ddns name btw.
Today it seems neither is working. unsure why, was working last night for windows and linux. I tried switching back to L2TP to demonstrate it to a colleague. Says communication could not be established. A remote reboot feature would work great here.
@rutman286 These settings for the most part have worked, not sure why my firewall acting up today. Maybe you’ll have better success.
Almost seems like the vpn service has locked up. neither L2TP or IKEv2 tunnels are working for me now.
factory resetting and readding the router did not resolve the issue unfortunately. I have been unable to use any vpn.
@Alta-MikeD @Alta-Josh
I’m not sure what is or isn’t happening, however I trust you when you say it’s not working. Toggling it on/off, resetting to defaults, reconfiguring, I can’t make it not work in any case, so it’s odd that it’s not working, especially after you defaulted your Route10.
It’s likely that at least part of it is going to be logged to the local syslog (which will be /var/log/messages
, or messages.0/1
on the Route10 itself). Accessing that has to be done via web terminal or shell (if you have an ssh key configured).
You can either try toggling it on, and then pull logs and share them and I can see if the relevant data is logged in syslog? I would also want to review the actual config file itself (/etc/swanctl/swanctl.conf
), as we use that as the daemon to configure both types. Or, if you prefer, I can also look at it directly if you add me to the site, and then just let you know what I find… I’ll leave that choice up to you.
Sure I can invite you to my site, whats your email?
1 Like