10456 questions

12455 answers

19379 comments

21880 members

+2 votes
1,266 views 2 comments
by

Hi to all, my first post made here for helping someone get troubles with IPsec VPN RUT series configuration, after many hours of trial & errors I finally landed on "stable" configuration work like a charm, packets flow between tunnel with no problem on my brand new RUT240 and pfSense APU2 installed on my HQ.

My pfSense hosting many others IPsec instance in parallel, for managing my remote network site stuffs, mainly IP DVR and NVR remote installation.

So well, I make this shiny schematic proof of concept, acutally run in my test site, will explain very easy itself. :D

Ok

Ok for me, I think setting the remote network subnet/mask to 0.0.0.0/0 do the trick.

Configuration of pfSense side is almost "standard as usual", but I set "Only Responder" flag.

if you want learn more, starting read about strongswan and openwrt, because Teltonika RUT OS is based on OpenWRT / LuCi project, I'm familiar to this things, my reference page when investigating about IPsec om RUT240 not "routing" same as regular other firewall/router appliance, is here:

https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

https://forum.archive.openwrt.org/viewtopic.php?id=68509

and some thread on this forum as well https://community.teltonika-networks.com/17128/reach-rut950-ipsec-server-rut950-remote-client-established

Final notice WARNING: RUT240 hardware based on  SoC: Atheros AR9330 rev 1 not much powerful to handle IPsec and high crypto , you can get slow overall performance with some kind of configuration like active Teltonika RMS (another Openvpn hardcoded service eating CPU cycles) and this example is for testing only the "powerful" of troughtput.

In this scenario I reach to around 5 Mbps stable flow for 80% CPU load meow heart

pfSense system load vs. IPsec inbound traffic is irrilevantdevil

by
Hi,do you know if your solution works also for GRE over IPSec? I tried to create a secure tunnel between a RUT240 and a Cisco router, and when a applied IPSec to the GRE tunnel I lose connection. I thought that maybe the RUT240 doesn't support GRE over IPSec, but it is possible as well that I'm configuring something wrong on the RUT240.
by
I got this working on an Fortigate by setting phase2 "local addresses" to 0.0.0.0/0.0.0.0 on Fortigate and "Remote subnet" to  0.0.0.0/0.0.0.0 on Teltonika, and under advanced ipsec select "Passthrough networks = LAN".
The problem with Teltonika device i that some functions dont work without reboot, so makes troubleshooting harder.

2 Answers

+1 vote
by
Hi!

I'm really glad that through the tests and errors you finally reached the result that you're comfortable with. It's really helpful that people like you share their experiences configuring and testing our devices in complex infrastructures as we also hope to reward such effort in something valuable and useful.

Please respond to our private message and let's discuss this matter.

Thank you for your work.

EB.
0 votes
by
Hi anonymous, my tests is only on simple ipsec, not GRE tunnels. Sorry. Configurations compatibility trought differents protocols and mechanism for vpn is always based on strongswan application applicable on OpenWrt/LuCi project.

You can try to learn about strongswan oner official strongswan home site indeed.

RutOs is based on OpenWrt and strongswan package is same between its. I guess you need to apply some kind of manual text file configuration, because RutOs web ui not allow many more advan ed fine tuning for strongswan package. (Related to this release I posted above)

Best Regards.