Question

Hello everybody,

Before entering this question I browsed all Teltonika "self service" resources ( FAQ, wiki etc. ) without finding a clear answer.

I should connect a RUT950 ( version RUT9XX_R_00.06.06.1 ) via its 4G uplink ( with dynamic and private IP beyond NAT: the LTE provider does not grant public and static IP ) to a Cisco VPN IPsec concentrator ( using IKE version 1 and FQDN settings ).

Here ( https://wiki.teltonika-networks.com/view/RUT950_VPN#IPsec_configuration ) I read that "IKEv1 only supports IP address ID selector" and "FQDN only supported with IKEv2".

Is it a peculiar limitation of Teltonika devices or a "natural" limitation of IKEv1 ( therefore can not be overcome by Teltonika unless my user will move its tunnels to more recent IKEv2 ) ?

In fact the example https://wiki.teltonika-networks.com/view/Setting_up_an_IPsec_tunnel_between_RUT_and_Cisco_device uses IKEv1 and IP address of the involved routers ( not their FQDN ).

Anyway I will try to upgrade RUT950 to latest RUT9XX_R_00.06.07 improving these features: improved IPsec and DMVPN pre-shared key validation, fixed IPsec identifier validation and removed "Aggressive mode" choice from IPSec IKEv2

 Any troubleshooting idea is welcome !

Many thanks in advance.

Best regards.

Stefano

Answer 1

Hello,

Yes, you are correct. IKEv1 supports only the IP address ID selector. In case you want to use FQDN secret's ID selector, you must select IKEv2. It is not only a teltonika routers limitation but a natural IKEv1 limitation.

Best regards.

Comments

Not correct.

If config files are edited manually it will accept fqdn aswell as user fqdn. It is a limitation of the RUT GUI.

edit file /etc/config/strongswan and put "option my_identifier 'RUT955@i.am' " or  "option my_identifier 'RUT955.i.am' ". They will work as user fqdn and fqdn respectively. The limitation is on the router GUI. (of course, use your own identifiers).

I've used them to connect to an ikev1 vpn on a Cisco RV325.