8904 questions

10557 answers

16569 comments

15946 members

0 votes
528 views 28 comments
by

i want to use ipsec between an RUTX11 and an fortigate firewall.

First thing i saw in the logfiles: the RUTX11 tries to reauthenticate with IKEv2. As far as i know, reauthentication should be used only with IKEv1. IKEv2 should use rekeeing only. thats also the default config at the forrtigate, so i set "reauth=no" under cutom options. i think that should be changed in the default config.

After that, i cant see any errors in the logfile. the router is trying to bring up the ipsec connection directly after boot. the tunnel is up for 1 second, and directly after that its down again. the router is doing that for the next 10-30 minutes. after that the tunnel is online and stable. i dont know whats wrong with the configuration that the tunnel is not coming directly online after the first try.

i hope someone can help. Logfiles frome one unsuccessfull connection and one successful connection after a lot of minutes can be found here: https://drive.google.com/file/d/1KADd2SlQ75_u_Uyw4ACtwzuFwAXdP0y0/view?usp=sharing

BTW: why cant we upload logfiles here?!? 12000 characters are not enough for logfiles.

1 Answer

0 votes
by

Hello.

Make sure both devices have the latest firmware

Try to configure the IPsec connection with another parameters.

You can download some configuration examples with fortigate here, hope this helps

Best regards.

by
Thank you for information. I will inform our HQ about your proposal.
by
And about the UI: it should at least catch the case where IKE lifetime < 2 * margintime, or have a field to choose the unit.
by

And when whe are already talking about things that will never happen: Lets implement multi-core use for VPN crypto... at the moment it uses only one core for that and is limited to 50-55mbit/s with aes 256. Thats to slow for a new product. we are talking about 100mbit and 250mbit wan uplinks, that is not unusual....

BTW, fortigate already has the field to chose the unit:

by
Wireguard ? About twice the throughput ... and much simpler than ipsec.
by
we will not use wireguard.

I think we will drop the test with the teltonikas, they are simply to slow for professional use. If they could handle more than 100mbit/s ipsec, we would give them a try. But at the moment i would say that this i something for an homeoffice workplace, or realy small office with one or 2 pcs, or something for enthusiasts / private use.

I think we will use the fortigate 40F in our ofsite locations. much more power and also realy cheap.