8904 questions

10557 answers

16569 comments

15946 members

0 votes
934 views 2 comments
by

I am trying to set up a basic IPsec tunnel on an RUTX11 and having some difficulties. The device was factory reset as part of troubleshooting and then set up from scratch using the web UI. Here's the redacted config:

root@Teltonika-RUTX11:~# uci show ipsec
ipsec.@ipsec[0]=ipsec
ipsec.@ipsec[0].rtinstall_enabled='1'
ipsec.gs2=remote
ipsec.gs2.crypto_proposal='gs2_ph1'
ipsec.gs2.enabled='1'
ipsec.gs2.gateway='far.end.gateway.com'
ipsec.gs2.authentication_method='psk'
ipsec.gs2.pre_shared_key='pskgoeshere'
ipsec.gs2.local_identifier='domain.name'
ipsec.gs2.remote_identifier='domain.name'
ipsec.gs2.tunnel='gs2_c'
ipsec.gs2.force_crypto_proposal='0'
ipsec.gs2_c=connection
ipsec.gs2_c.crypto_proposal='gs2_ph2'
ipsec.gs2_c.mode='start'
ipsec.gs2_c.type='tunnel'
ipsec.gs2_c.local_subnet='10.21.1.0/24'
ipsec.gs2_c.remote_subnet='10.10.1.0/24'
ipsec.gs2_c.keyexchange='ikev1'
ipsec.gs2_c.forceencaps='no'
ipsec.gs2_c.local_firewall='yes'
ipsec.gs2_c.remote_firewall='no'
ipsec.gs2_c.ikelifetime='28800s'
ipsec.gs2_c.force_crypto_proposal='0'
ipsec.gs2_c.lifetime='28800s'
ipsec.gs2_ph1=proposal
ipsec.gs2_ph1.encryption_algorithm='aes128'
ipsec.gs2_ph1.hash_algorithm='sha1'
ipsec.gs2_ph1.dh_group='modp1024'
ipsec.gs2_ph2=proposal
ipsec.gs2_ph2.encryption_algorithm='aes128'
ipsec.gs2_ph2.hash_algorithm='sha1'
ipsec.gs2_ph2.dh_group='no_pfs

This validates fine in the web UI, but strongSwan seems to have trouble using it:

Tue Feb  4 11:06:02 2020 kern.notice kernel: ipsec configuration has been changed
Tue Feb  4 11:06:05 2020 authpriv.info ipsec_starter[27858]: Starting strongSwan 5.8.0 IPsec [starter]...
Tue Feb  4 11:06:05 2020 daemon.info ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.14.131, armv7l)
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[CFG] loading secrets from '/var/ipsec/ipsec.secrets'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[CFG] loaded IKE secret for domain.name domain.name
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[LIB] loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-netlink resolve socket-default stroke vici updown xauth-generic
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 00[JOB] spawning 16 worker threads
Tue Feb  4 11:06:06 2020 authpriv.info ipsec_starter[27858]: charon (28035) started after 480 ms
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 05[CFG] received stroke: add connection 'gs2-gs2_c'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 05[CFG] algorithm 'no_pfs' not recognized
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 05[CFG] skipped invalid proposal string: aes128-sha1-no_pfs
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 07[CFG] received stroke: initiate 'gs2-gs2_c'
Tue Feb  4 11:06:06 2020 daemon.info ipsec: 07[CFG] no config named 'gs2-gs2_c'
Tue Feb  4 11:06:06 2020 authpriv.info ipsec_starter[27858]: no config named 'gs2-gs2_c'
Tue Feb  4 11:06:06 2020 authpriv.info ipsec_starter[27858]:

It seems like the system is writing config files that strongSwan can't use. While troubleshooting I also noticed that the config files on this router aren't in the locations specified in https://wiki.teltonika.lt/index.php?title=UCI_command_usage - the IPsec configuration that gets generated and presumably passed to strongSwan is at /var/ipsec.ipsec.conf

Is this something I can fix myself or do I need to wait for a new firmware release?

Thanks

1 Answer

0 votes
by
Hello,

Could you send me a troubleshoot file? You can find it by going to SYSTEM > ADMINISTRATION > TROUBLESHOOT.  Please before downloading it try to establish VPN connection. You can send it to me via private message.
by
Thanks, file has been sent.
by
Doing a bit more troubleshooting, creating an IKEv1 connection and setting it to aggressive mode also trips up strongSwan when it parses the configuration file.