4247 questions

5243 answers

8093 comments

5243 members

+1 vote
76 views 2 comments
by

As Fritzbox is commonly used, I think that this is of interest to a lot of people and therefore I hope to move this topic forward together as much as possible. Thanks in advance for your help.

I have a test setup here with Fritzbox 7490 R7.12 and RUT240 R1.12.3. I have configured an IPsec VPN on RUT240 trying to connect to the Fritzbox where the IPSec VPN is already activated and successfully used via a smartphone. Params in RUT240 are IKE1, Aggressive, Tunnel mode, My identifier is the username for XAuth authentication needed by Fritzbox, left and right firewall buttons are checked.

Looking at RUT240's syslog, I see that already the first UDP packet doesn't go through. The IPV6 address of the remote end of the IPSec tunnel is correct. 

Tue Sep 15 14:23:45 2020 daemon.info ipsec: 13[IKE] peer not responding, trying again (10/0)
Tue Sep 15 14:23:46 2020 daemon.info ipsec: 13[IKE] initiating Aggressive Mode IKE_SA BueroKde[1] to 2003:eb:47ff:1ac2:eadf:70ff:fec3:b11c
Tue Sep 15 14:23:46 2020 daemon.info ipsec: 13[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Tue Sep 15 14:23:46 2020 daemon.info ipsec: 13[NET] sending packet: from ::[500] to 2003:eb:47ff:1ac2:eadf:70ff:xxxx:xxxx[500] (395 bytes)
Tue Sep 15 14:23:46 2020 daemon.info ipsec: 04[NET] error writing to socket: Permission denied
Tue Sep 15 14:23:50 2020 daemon.info ipsec: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
Tue Sep 15 14:23:50 2020 daemon.info ipsec: 14[NET] sending packet: from ::[500] to 2003:eb:47ff:1ac2:efdf:7aff:xxxx:xxxx[500] (395 bytes)­
Tue Sep 15 14:23:50 2020 daemon.info ipsec: 04[NET] error writing to socket: Permission denied
Tue Sep 15 14:23:57 2020 daemon.info ipsec: 15[IKE] sending retransmit 2 of request message ID 0, seq 1

Why does the first packet not go through? What does "Permission denied" mean in this context?

What I don't understand is:
a) I didn't have to enter the password for the XAuth functionality. How does RUT240 get to know this password then? When I create the IPSec VPN on my Smartphone, I have to enter that password during inital setup on the smartphone and then it seems to resend the initially configured username/password any time the VPN is established again.

b) The WEBGui allows to enter IPSec Configuration and Pre-shared Keys in a different way than shown in the user manual. See here how RUT240 UI looks for me (enabled not checked to avoid constant retries):

How does RUT240 know that the Pre-shared Key at the bottom even belongs to BueroKde? In the manuals I've seen the Pre-shared Key is always entered as part of the other parameters of the IPSec VPN. WebUI does not allow this here?!

Thanks in advance for your help.

1 Answer

0 votes
by

Hi,

It is really unknown how does your router get that xauth authentication done. Could you please elaborate in more detail on what is your configuration and is it successful?

  • Is your tunnel running normally even with xauth authentication enabled on other side?
  • Did you get any more errors except the ones you posted?
  • Could you also check the other side log where xauth is enabled?
Also, please send me your troubleshoot file via private message.
EB.
by
Hi EB,

1) Configuration/Successful: The Router is connected to the Public Internet via a VDSL modem. The router offers to serve IPSec VPNs (uo to 12 in parallel). As the IPV4 adress changes with any new VDSL login, the manufacturer of the router offers a service where the remote end of the VPN can connect to using a FQDN, get the actual IPV4 address of the router to connec to. Parameters of the IPSec VPN supported by the router are as in my original post. If you need more details, please ask.
I have successfully built up an IPSec VPN from my smartphone (Android) to the router. What did I do? I clicked Settings|Wireless&Network|VPN|Add VPN and entered the Type of the VPN to be "IPSec XAuth PSK", the name of the server (the FQDN I mentioned above), the IPSec-ID and the preinstalled IPSec-Key(Shared Secret). All of these three parameters I received from the router during initial VPN setup there. On the smartphone I created the VPN, which was successful. No VPN has been established at this time. Once I click connect, then the Android phone asks me to enter username and password. I entered these two data points and the VPN is established immediately. On the router Web UI I now see that the VPN is successfully established, I can see the IPV4 address of the Smartphone displayed.
So yes, at this point the establishment of the VPN via the smartphone is successful.
Now RUT240 offers much more configuration options compared to the smartphone. So the challenge is to all parameters set up correctly on RUT240 I guess. Whether it is a smartphone or RUT240 to talk via LTE to the router and asks for the establishment of a VPN should not be a fundamental difference I hope.

2) So yes, the tunnel is running normally between smartphone and the router. On the smartphone I can open the browser and surf the web (indirectly via the tunnel through the router). So that works.

3) No, I didn't get any other errors. I took a full portion of the logfile. Of course the errors come repeatedly as RUT240 tries to resend the packets.

4) I need to get a hand around this still. Have been thinking about this already. Still need to check how I can get the syslog of the router. I will get back to you if I know how to do it.

Could you help me understand how to add the shared secret on the RUT240 and link that secret to one specific VPN In the list? The GUI (see screenshot) looks differently than in the latest online manual. In the manual the secret is added as part of the VPN setup. On my RUT240 secrets can only be added after the VPN parameters have been entered. But then there is a list of secrets and there is a list of VPNs (in my case only one each, but generally it could be lists with many elements each I guess). How does RUT240 then know which Secret belongs to which VPN?

And on Xauth I am also lost. I miss the fields where to enter username and password on RUT240.

For testing purposes I can add a new user/password combination and you can try to build a tunnel to the router end point from your side. This way you can directly see the responses. Would share this in a private email if needed. Let me know.
by

Additional comment: Checking the wiki more I found Xauth parameters configurable (for RUT900) when special options are selected. https://wiki.teltonika-networks.com/view/RUT900_VPN states in the IPSec chapter:

Additional notes:

  • Some configuration fields become available only when certain other parameters are selected. Different color codes are used for different parameters:
    • Orange for Type: Xauth
Question: Which parameters need to enabled to allow entry of XAuth user/password? Custom options also fine with me, but would need syntax.