6129 questions

7410 answers

11978 comments

7759 members

0 votes
65 views 7 comments
by

Hello,

I've been able to establish the connection between RUT955 (head office with static public address) and RUTX11 (remote site with 4g dynamic NAT address) but I can't get communication between both locations.

The RUTX11 dials into the RUT955.

This is what happens when I run the ipsec status command on the RUTX11

root@Teltonika-RUTX11:~# ipsec status

Shunted Connections:

passth_RUT2_ph2_lan_0:  192.168.2.0/24 === 192.168.2.0/24 PASS

Security Associations (1 up, 0 connecting):

RUT2-RUT2_c[1]: ESTABLISHED 10 minutes ago, remote public IP[remote public IP]...head office public ip[head office public IP]

Here is the configuration for the remote site

Configuration for HQ site

by
Just wanted to add that I have the latest firmware running on both

1 Answer

+1 vote
by

Hello,

192.168.2.0/24 === 192.168.2.0/24 cannot be correct, could you post your /etc/config/ipsec from both ends (after masking the public IP)?

Regards,

Best answer
by
Thanks for the reply flebourse

Here is the config for the HQ site

root@Teltonika-RUT955:/etc# uci export strongswan

package strongswan

config conn 'RUT1'

        option enabled '1'
        option keyexchange 'ikev1'
        option aggressive 'no'
        option ipsec_type 'tunnel'
        option auto 'start'
        option forceencaps 'no'
        option dpdaction 'none'
        option auth 'psk'
        option keep_enabled '1'
        option ping_ipaddr '192.168.2.1'
        option ping_period '10'
        option allow_webui '1'
        option ike_encryption_algorithm '3des'
        option ike_authentication_algorithm 'sha1'
        option ike_dh_group 'modp1536'
        option ikelifetime '8h'
        option esp_encryption_algorithm '3des'
        option esp_hash_algorithm 'sha1'
        option esp_pfs_group 'modp1536'
        option keylife '8h'
        option leftfirewall 'yes'
        option rightfirewall 'yes'
        list leftsubnet '192.168.1.0/24'
        list rightsubnet '192.168.2.0/24'

config preshared_keys

        option psk_key 'ipsec'

Here is the config for the remote site

config ipsec

        option rtinstall_enabled '1'

config remote 'RUT2'

        option crypto_proposal 'RUT2_ph1'
        option gateway '0.0.0.0'
        option authentication_method 'psk'
        option pre_shared_key 'ipsec'
        list tunnel 'RUT2_c'
        option force_crypto_proposal '0'
        option enabled '1'

config connection 'RUT2_c'

        option crypto_proposal 'RUT2_ph2'
        option mode 'start'
        option type 'tunnel'
        option keyexchange 'ikev1'
        option force_crypto_proposal '0'
        option local_firewall 'yes'
        option remote_firewall 'yes'
        option remote_sourceip '192.168.1.0/24'
        option local_sourceip '192.168.2.0/24'
        option forceencaps 'yes'
        option defaultroute '0'
        list local_subnet '192.168.2.0/24'
        list remote_subnet '192.168.1.0/24'

config proposal 'RUT2_ph1'

        option hash_algorithm 'sha1'
        option dh_group 'modp1536'
        option encryption_algorithm '3des'

config proposal 'RUT2_ph2'

        option hash_algorithm 'sha1'
        option dh_group 'modp1536'
        option encryption_algorithm '3des'
by
Hello,

What "ipsec statusall" says on the RUT955 when the tunnel is up ?

The "local_sourceip" and "remote_sourceip" ont RUTX11 don't look correct except maybe if you have a non-standard netmask on the native interfaces. The simplest solution is to introduce a third network for the tunnel endpoints (any private network will do: 192.168.not 1 nor 2.0/24, 172.[16...31].x.0/24 10.x.y.0/24) and choose 2 values in this range for the RUT955 and RUTX11.

If IPSEC is not a prerequisite for you maybe you could consider using Wireguard, configuration is much simpler and performance is excellent.

Regards,
by
Hey there

Thanks for the reply and help so far it is appreciated.

Where would I enter the third network?

I can't see an option for Wireguard in the RUTX11 setup.
by
Hello,

Wireguard is not installed by default, from the UI go to Services->Package Manager and add it. Same on the other end.

Then the option Services->VPN->Wireguard will appear.

For the third network simply set the local endpoint of the RUT955 IPSEC interface to 172.16.1.1/32 and 172.16.1.2/32 for the RUTX11. So the configuration will be:

192.168.1.0/24 + 172.16.1.1 --------()--------- 172.16.1.2 + 192.168.2.0/24

If you choose to go this way I would also suggest using IKEv2 instead of IKEv1.

Regards,
by
Thank you so much flebourse for the help, I eventually got everything working over IPSEC
by
Glad for you.