FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
599 views 7 comments
by

It appears the %any has been changed to any4 without the % which i think causes the peer configs to fail as they dont match ? , should it not be %any or %any4 ??

ÓN THE RUT240 Side 

authentication of 'any4' (myself) with pre-shared key

Thu Nov 26 13:05:28 2020 daemon.info ipsec: 07[IKE] establishing CHILD_SA angle{13}

Thu Nov 26 13:05:28 2020 daemon.info ipsec: 07[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

Thu Nov 26 13:05:28 2020 daemon.info ipsec: 07[NET] sending packet: from 203.xx.251[4500] to 222.xx.59[4500] (352 bytes)

Thu Nov 26 13:05:28 2020 daemon.info ipsec: 08[NET] received packet: from 222.xx.59[4500] to 203.xx.251[4500] (80 bytes)

Thu Nov 26 13:05:28 2020 daemon.info ipsec: 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Thu Nov 26 13:05:28 2020 daemon.info ipsec: 08[IKE] received AUTHENTICATION_FAILED notify error

on the other end of the tunnel PFSENSE

14[ENC] <29> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 26 12:59:47 charon 14[CFG] <29> looking for peer configs matching 222.xxx.xxx.59[%any]...203.xx.xxx.251[any4]
Nov 26 12:59:47 charon 14[CFG] <29> no matching peer config found

 

1 Answer

0 votes
by anonymous
Hi,

Did you try with the lastest firmware 13.1?

https://wiki.teltonika-networks.com/view/RUT240_Firmware_Downloads

Also, did you test with both RUT240 for IPsec (Server and Client)? If so, please let me know to perform tests with my own devices.

I'll be looking forward to your feedback.

Regards.
by
Hi

The same problem exists on 13.1

The connections worked fine on 12.3 :) , but i cant easily go back as the sites are remote and have custom gateways which i will lose if i downgrade via RMS so then they wont be able to reconnect

I don''t have 2x240's to test to each other , i have 4 240's in the field that have been running 12.3 and all connect to the same pfsense server via ipsec tunnels no problem , this one unit auto upgarded to 13 and now fails , i think the use of any4 is the chnage and it should be defines as %any4 .....
by anonymous
Hi,

Ok, I'll test with pfense and will try to reproduce the issue.

Do you have more details to share about the configuration? That I need to know to reproduce the exactly configuration you made?

Regards.
by
They are pretty basic ipsec standard setup

IKEV2

Remote Gateway vis fixed IP

Mutual PSK

AES 256 SHA256 Group 14

Just A random Preshared Key

My Identifier Ip adress

Peer indentifier any

I have tried IKEv1 Main and Agressive as well and the same error occurs
by anonymous
Hi,

Sorry for the delay. I was on holidays.

Ok, I'll check today and any detail I'll let you know.

Regards.
by

further detail

i retrieved the unit and re flashed down to 12.3 and reset the original configuration and the rut240 immediatly re links the IPSEC tunnel and works fine as it has for the last year , so conclusion is the 13 release has an issue , i firmly believe it it is the change from the rut240 using %any as a remote identifier to the new firmware attempting to use %any4  but it maybe being passed without the % , as it shows in the logs as 'any4' without the % which means it wont work

13 firmware must have been changed to use the more restrictive  %any4 to restrict address selection to IPv4 addresses , because of double NAT on our mobile links we were using %any as the Secret's ID selector

Anyway hopefully thats helpful , i will stay on 12.3 for now as it works :)

by anonymous
Hi,

I'm getting the same issue, I'll report to our R&D.
by anonymous
Hi, I've performed new tests and seems everything is working as expected.

Did you solved this issue?

Regards.