WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Bug in ipsec config generation (aggressive mode)

0 votes
685 views 1 comments
by anonymous
Hello,

Seems like there's a bug in the IPSec config generation in TRB140 firmware TRB1400_R_00.01.06.1. You can check IPSec daemon log messages below, aggressive=1 is not accepted and should be aggressive=yes with this version of StrongSwan.

The connection does not work, but comes up just fine after manually modifying the config file and restarting the ipsec daemon.

Fri Jan 24 12:48:55 2020 authpriv.info ipsec_starter[10854]: charon stopped after 200 ms
Fri Jan 24 12:48:55 2020 authpriv.info ipsec_starter[10854]: ipsec starter stopped
Fri Jan 24 12:48:58 2020 authpriv.info ipsec_starter[11332]: Starting strongSwan 5.8.0 IPsec [starter]...
Fri Jan 24 12:48:58 2020 authpriv.info ipsec_starter[11332]: # bad value: aggressive=1
Fri Jan 24 12:48:58 2020 authpriv.info ipsec_starter[11332]:   bad argument value in conn 'TK-TK_c'
Fri Jan 24 12:48:58 2020 authpriv.info ipsec_starter[11332]: # ignored conn 'TK-TK_c' due to 1 parsing error
Fri Jan 24 12:48:58 2020 authpriv.info ipsec_starter[11332]: ### 1 parsing error (0 fatal) ###
Fri Jan 24 12:48:58 2020 daemon.info ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 3.18.20-msm, armv7l)

root@dev:~# cat /var/ipsec/ipsec.conf
# generated by /etc/init.d/ipsec
version 2

conn TK-TK_c
left=%any
right=123.123.123.123
leftsubnet=172.16.0.0/16
leftfirewall=no
rightfirewall=no
ikelifetime=8h
lifetime=1h
margintime=9m
keyingtries=3
dpdaction=restart
dpddelay=30s
leftauth=psk
rightauth=psk
rightsubnet=10.56.0.0/24
auto=start
leftid=censored.id
rightid=123.123.123.123
aggressive=1
forceencaps=no
keyexchange=ikev1
esp=aes128-sha1-modp1024
ike=aes128-sha1-modp1024
type=tunnel

1 Answer

+2 votes
by anonymous

Hello,

After testing it few times, there really is an issue with Aggressive mode generation in config file for TRB140, we are already looking into it and I hope it will be fixed with upcoming FW releases.

But since it is there now I would like to offer a little workaround, until it is fixed, that would not require changing config file through SSH. Instead of turning Aggressive mode on usual way (off/on - leave it off) in WebUI Services > VPN > IPsec in IPsec instance Connection settings > Advanced settings use "Custom option" and simply enter line aggressive=yes then save IPsec instance.

This way it will automatically generate line in config file, and you will not have to go through SSH to fix.

Best regards,
VidasKac

Best answer
by
Great, the workaround seems to work. :)