FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
+1 vote
685 views 11 comments
by

Hi, 

We have a large set of RUT950's that we use in a distributed IPSEC VPN network. Suddenly, all new routers fails to establish a IPSEC VPN connection when setting it up in the network. The issue appeared in RUT9XX_R_00.06.07.3, or a build recently prior to this one. 

Basically, the error is that both /etc/ipsec.conf and /tmp/ipsec/ipsec.conf is corrupted, and strongswan will not start. 

When looking at the config-file /etc/ipsec.conf it appends the following information:

        rightsubnet=10.1.0.0/26,10.1.2.0/24conn azure_1

  also=azure

  leftsubnet=192.168.105.0/24

  rightsubnet=10.1.2.0/24

Everything in red is duplicate information. When I remove it from /etc/ipsec.conf and do a "ipsec restart" then VPN pops up.. While rebooting the router everything falls down again and VPN is dead. 

I route two different networks through the ipsec connection (as you can see from the config above). That can be a reason why this issue appears. 

We have had this problem for over a month now, and no new build has been released from Teltonika fixing this issue. 

Is this the right forum for informing Teltonika about bugs like these, or should I send it somewhere else?

Thanks

Regards, 

Erik

by

We have the same problem. A manual way to temporary fix the problem is to edit /var/ipsec/ipsec.conf and add two newlines between "24" and "conn azure_1" in your example. Then run /usr/sbin/ipsec start. However, on reboot or changing ipsec through GUI breaks it again.

This problem occured in RUT950 firmware RUT9XX_R_00.06.07.3 but worked in prevoius versions (RUT9XX_R_00.06.05.3).

The problem also concerns RUT240 firmware version RUT2XX_R_00.01.12.3

I have the same question - is this the proper way to report the issue to Teltonika?

by
Update: It looks the problem only occurs when there is more than 1 network configured in the "Remote IP address/Subnet mask"-section. When only 1 network is configured ipsec.conf will work fine. Probably the script that is generating the ipsec.conf is missing a couple of newlines after the first conn.

1 Answer

0 votes
by anonymous
Hello,

Could you send us a copy of the troubleshoot file so that we can check. Make sure in getting the troubleshoot file the router was not turned off also it is best to restart the ipsec service before taking the troubleshoot file so that everything will be recorded.

You can get the troubleshoot file on System > Administration > Troubleshoot

Regards,

Jerome
by
No problem, will do. Where should I send the troubleshoot file?
by
Hi Jerome,

We use RUT950s for our edge production environments. Since luckily most traffic is still sent on public internet I need someone to drive out and connect locally to the firewall so that I can re-enable IPSEC. As explained by my fellow user, even if we fix it once, it still crashes as soon as the router is rebooted :)

Regards,
Erik
by
Hi Jerome,

I now have the router online and I have created the file you want. Where do you want it sent?

Regards,
Erik
by anonymous
Hello,

You can send me the troubleshoot file via pm. But you need to create an account here in crowd support.

Regards,
Jerome
by anonymous
Jerome: PM sent. As stated above, I am also convinced that the issue is related to multiple remote networks.
by anonymous
Hello,

For IPSec you need to have 1 Tunnel for 1 device. So let say your IPSec server must have one active tunnel dedicated to Rut device. Mixing it with 1 tunnel with multiple ipsec connections will make the tunnel go up and down randomly.

Regards,

Jerome
by anonymous

Hi Jerome, 

I think you got this reversed.. :-)

We have 1 tunnel that routes two remote networks (10.1.0.0/26 and 10.1.2.0/24). This is basic configuration and it works. It also works in previous builds, and it works when we manually go in and edit ipsec.conf and do a ipsec restart. The only problem is that your code that *writes* the ipsec.conf file is corrupting the file both when we do a change in the webportal, or we reboot the router. 

Regards,
Erik

by
Exactly, it is only one tunnel but a couple of 10-networks that are routed through the tunnel. It works if I just add one network. Network nr 2 causes problems. And it works with previous versions of the firmware.
by

I just updated to firmware version RUT9XX_R_00.06.07.4 and after the reboot, the VPN connected successfully. Via CLI a could verify that the /var/ipsec/ipsec.conf was written at time of reboot and it does not have the error that used to cause the problem. So it looks like it has been fixed.