WIKIABOUT

10933 questions

13039 answers

20332 comments

27469 members

Most popular tags

rut955 rut240 rut950 rutx11 vpn rms openvpn wifi to sms trb140 rutx09 ipsec not rutx12 firmware modbus - firewall on

IPSEC Tunnel Configuration for Static > Dynamic site Not Working

0 votes
847 views 5 comments
by

Hopefully, someone can help me out here, on the bench I had this working but since factory resettings and firmware upgrading cannot get it to work again.

We have a WatchGuard T70 running the latest firmware with a public address assigned trying to connect to a RUTX11 on-site with a 4G SIM using dynamic addressing, we have configured DDNS through Dyn.com which is working and updating correctly, I have then configured the IP sec details accordingly but cannot seem to get it to connect, the logs don't show anything obvious on the RUTX11, is there a debug mode I can change to get more details?

I have tried the following WIKI from Teltonika - https://wiki.teltonika.lt/view/RUTX11_VPN but the IPSEC page for the RUTX11 differs to the page I have upon the unit.

General settings

In the remote endpoint I have the head office public address
Local identifier is then blank (we have tried using the DDNS address)
Remote identifier is the IP of our router

Connection Settings

Mode is start
Type is tunnel
Local subnet is of the site 192.168.25.0/24
Remote subnet is head office 172.0.0.0/24
Key exchange is IKEv2

Proposal Settings

Phase 1
Encryption: AES256
Authentication: SHA1
DH: MODP1024
Force crypto is off
IKE: 8 hours

Phase 2
Encryption: AES256
Authentication: SHA1
DH: MODP1024
Force crypto is off
IKE: 8 hours

The encryption settings are reflected on our WG unit, I've tried a load of different ways configurations and just cannot get it to go.
 

1 Answer

0 votes
by

Hello,

please generate the troubleshoot file and send it to me via private message. Go to System -> Administration -> Troubleshoot and click Download.

by
Pm'd you Marius
by
I checked the troubleshoot file you sent me and I see that you are using a private IP address so adding it to DDNS will not configure IPsec properly. In this case, I suggest using DDNS on the WatchGuard side, of course, if it has DDNS functionality. Otherwise, if you want the RUTX11 to have a tunnel with Watchguard, then do not use DDNS.
by
So DDNS both sides? will that work with it still being private?

Is there a better way to set the tunnels up with the RUTX11 with this type of scenario e.g. HQ one side with fixed connection and public available and 4G (No static) on the RUTX11 the other side.
by
Hi Marius just wondered if you got my last comment. We are currently working with WatchGuard as well on this to see if we could possibly use BOVPN over TLS which utilises OpenVPN engine. So far no success but I'm hopefully we can get something albeit probably just incoming connection only to the HQ.
by
If DDNS is on both sides, you will still not get the desired result. DDNS on both sides could be present if both devices had a public IP address.

I have not previously configured BOVPN with OpenVPN, maybe you could show BOVPN in the print screen configuration window?