WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Fortigate - RUTX11 - ipsec after router reboot: will come online after 10-30 minutes

0 votes
1,358 views 28 comments
by anonymous

i want to use ipsec between an RUTX11 and an fortigate firewall.

First thing i saw in the logfiles: the RUTX11 tries to reauthenticate with IKEv2. As far as i know, reauthentication should be used only with IKEv1. IKEv2 should use rekeeing only. thats also the default config at the forrtigate, so i set "reauth=no" under cutom options. i think that should be changed in the default config.

After that, i cant see any errors in the logfile. the router is trying to bring up the ipsec connection directly after boot. the tunnel is up for 1 second, and directly after that its down again. the router is doing that for the next 10-30 minutes. after that the tunnel is online and stable. i dont know whats wrong with the configuration that the tunnel is not coming directly online after the first try.

i hope someone can help. Logfiles frome one unsuccessfull connection and one successful connection after a lot of minutes can be found here: https://drive.google.com/file/d/1KADd2SlQ75_u_Uyw4ACtwzuFwAXdP0y0/view?usp=sharing

BTW: why cant we upload logfiles here?!? 12000 characters are not enough for logfiles.

1 Answer

0 votes
by anonymous

Hello.

Make sure both devices have the latest firmware

Try to configure the IPsec connection with another parameters.

You can download some configuration examples with fortigate here, hope this helps

Best regards.

Show 23 previous comments
by anonymous
Thank you for information. I will inform our HQ about your proposal.
by anonymous
And about the UI: it should at least catch the case where IKE lifetime < 2 * margintime, or have a field to choose the unit.
by anonymous

And when whe are already talking about things that will never happen: Lets implement multi-core use for VPN crypto... at the moment it uses only one core for that and is limited to 50-55mbit/s with aes 256. Thats to slow for a new product. we are talking about 100mbit and 250mbit wan uplinks, that is not unusual....

BTW, fortigate already has the field to chose the unit:

by anonymous
Wireguard ? About twice the throughput ... and much simpler than ipsec.
by anonymous
we will not use wireguard.

I think we will drop the test with the teltonikas, they are simply to slow for professional use. If they could handle more than 100mbit/s ipsec, we would give them a try. But at the moment i would say that this i something for an homeoffice workplace, or realy small office with one or 2 pcs, or something for enthusiasts / private use.

I think we will use the fortigate 40F in our ofsite locations. much more power and also realy cheap.