WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

IPSEC Tunnel Configuration for Static > Dynamic site Not Working

0 votes
1,254 views 7 comments
by anonymous

Hopefully, someone can help me out here, on the bench I had this working but since factory resettings and firmware upgrading cannot get it to work again.

We have a WatchGuard T70 running the latest firmware with a public address assigned trying to connect to a RUTX11 on-site with a 4G SIM using dynamic addressing, we have configured DDNS through Dyn.com which is working and updating correctly, I have then configured the IP sec details accordingly but cannot seem to get it to connect, the logs don't show anything obvious on the RUTX11, is there a debug mode I can change to get more details?

I have tried the following WIKI from Teltonika - https://wiki.teltonika.lt/view/RUTX11_VPN but the IPSEC page for the RUTX11 differs to the page I have upon the unit.

General settings

In the remote endpoint I have the head office public address
Local identifier is then blank (we have tried using the DDNS address)
Remote identifier is the IP of our router

Connection Settings

Mode is start
Type is tunnel
Local subnet is of the site 192.168.25.0/24
Remote subnet is head office 172.0.0.0/24
Key exchange is IKEv2

Proposal Settings

Phase 1
Encryption: AES256
Authentication: SHA1
DH: MODP1024
Force crypto is off
IKE: 8 hours

Phase 2
Encryption: AES256
Authentication: SHA1
DH: MODP1024
Force crypto is off
IKE: 8 hours

The encryption settings are reflected on our WG unit, I've tried a load of different ways configurations and just cannot get it to go.
 

by anonymous

Hi,

This might help: ipsec with DHCP

Watchguard side:

BOVPN Virtual interface

auth method: preshared key or cert

Gateway Endpoint 

LOCAL INTERFACE  LOCAL TYPE LOCAL ID REMOTE IP REMOTE TYPE REMOTE ID
External Domain Name dns.name.com Any Domain Name whatever.name.com

VPN Routes

remote subnet(s) 192.168.25.0/24

(you might need/want Virtual IP adressing, i don't know).

proposals you just match on both sides.

Teltonika Side

Remote endpoint dns.name.com

Authentication method preshared key (or cert)

Pre shared key/(or cert)******

Local identifier whatever.name.com

Remote identifier dns.name.com

Routing

local subnet 192.168.25.0/24

remote subnet 172.0.0.0/24

Under advanced routing you can set up Peer IP (Virtual IP adress) if needed.

You do not need DDNS for this setup with (the teltonika on) a DHCP WAN connection. As long as the remote ID's match

You can reach remote networks like this. The only thing I have a problem with is the firewall zoning, IPsec does not auto

-matically create a zone like an OpenVPN connection does.

You can reach everything on the remote network accept the teltonika itself unless you allow https/ssh from WAN, because it sees the

traffic src as a WAN address. If you use Peer IP addresses you can map it as an internal network and you do not have to open anything on the WAN side.

by anonymous
ps.

You can also use Mobility SSLVPN with OpenVPN, with your WG as server and the teltonika as client. IPSec has better hardware support though.

1 Answer

0 votes
by anonymous

Hello,

please generate the troubleshoot file and send it to me via private message. Go to System -> Administration -> Troubleshoot and click Download.

by anonymous
Pm'd you Marius
by anonymous
I checked the troubleshoot file you sent me and I see that you are using a private IP address so adding it to DDNS will not configure IPsec properly. In this case, I suggest using DDNS on the WatchGuard side, of course, if it has DDNS functionality. Otherwise, if you want the RUTX11 to have a tunnel with Watchguard, then do not use DDNS.
by anonymous
So DDNS both sides? will that work with it still being private?

Is there a better way to set the tunnels up with the RUTX11 with this type of scenario e.g. HQ one side with fixed connection and public available and 4G (No static) on the RUTX11 the other side.
by anonymous
Hi Marius just wondered if you got my last comment. We are currently working with WatchGuard as well on this to see if we could possibly use BOVPN over TLS which utilises OpenVPN engine. So far no success but I'm hopefully we can get something albeit probably just incoming connection only to the HQ.
by anonymous
If DDNS is on both sides, you will still not get the desired result. DDNS on both sides could be present if both devices had a public IP address.

I have not previously configured BOVPN with OpenVPN, maybe you could show BOVPN in the print screen configuration window?