FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
433 views 7 comments
by anonymous

Hello,

I've been able to establish the connection between RUT955 (head office with static public address) and RUTX11 (remote site with 4g dynamic NAT address) but I can't get communication between both locations.

The RUTX11 dials into the RUT955.

This is what happens when I run the ipsec status command on the RUTX11

root@Teltonika-RUTX11:~# ipsec status

Shunted Connections:

passth_RUT2_ph2_lan_0:  192.168.2.0/24 === 192.168.2.0/24 PASS

Security Associations (1 up, 0 connecting):

RUT2-RUT2_c[1]: ESTABLISHED 10 minutes ago, remote public IP[remote public IP]...head office public ip[head office public IP]

Here is the configuration for the remote site

Configuration for HQ site

by anonymous
Just wanted to add that I have the latest firmware running on both

1 Answer

+1 vote
by anonymous

Hello,

192.168.2.0/24 === 192.168.2.0/24 cannot be correct, could you post your /etc/config/ipsec from both ends (after masking the public IP)?

Regards,

Best answer
by anonymous
Thanks for the reply flebourse

Here is the config for the HQ site

root@Teltonika-RUT955:/etc# uci export strongswan

package strongswan

config conn 'RUT1'

        option enabled '1'
        option keyexchange 'ikev1'
        option aggressive 'no'
        option ipsec_type 'tunnel'
        option auto 'start'
        option forceencaps 'no'
        option dpdaction 'none'
        option auth 'psk'
        option keep_enabled '1'
        option ping_ipaddr '192.168.2.1'
        option ping_period '10'
        option allow_webui '1'
        option ike_encryption_algorithm '3des'
        option ike_authentication_algorithm 'sha1'
        option ike_dh_group 'modp1536'
        option ikelifetime '8h'
        option esp_encryption_algorithm '3des'
        option esp_hash_algorithm 'sha1'
        option esp_pfs_group 'modp1536'
        option keylife '8h'
        option leftfirewall 'yes'
        option rightfirewall 'yes'
        list leftsubnet '192.168.1.0/24'
        list rightsubnet '192.168.2.0/24'

config preshared_keys

        option psk_key 'ipsec'

Here is the config for the remote site

config ipsec

        option rtinstall_enabled '1'

config remote 'RUT2'

        option crypto_proposal 'RUT2_ph1'
        option gateway '0.0.0.0'
        option authentication_method 'psk'
        option pre_shared_key 'ipsec'
        list tunnel 'RUT2_c'
        option force_crypto_proposal '0'
        option enabled '1'

config connection 'RUT2_c'

        option crypto_proposal 'RUT2_ph2'
        option mode 'start'
        option type 'tunnel'
        option keyexchange 'ikev1'
        option force_crypto_proposal '0'
        option local_firewall 'yes'
        option remote_firewall 'yes'
        option remote_sourceip '192.168.1.0/24'
        option local_sourceip '192.168.2.0/24'
        option forceencaps 'yes'
        option defaultroute '0'
        list local_subnet '192.168.2.0/24'
        list remote_subnet '192.168.1.0/24'

config proposal 'RUT2_ph1'

        option hash_algorithm 'sha1'
        option dh_group 'modp1536'
        option encryption_algorithm '3des'

config proposal 'RUT2_ph2'

        option hash_algorithm 'sha1'
        option dh_group 'modp1536'
        option encryption_algorithm '3des'
by anonymous
Hello,

What "ipsec statusall" says on the RUT955 when the tunnel is up ?

The "local_sourceip" and "remote_sourceip" ont RUTX11 don't look correct except maybe if you have a non-standard netmask on the native interfaces. The simplest solution is to introduce a third network for the tunnel endpoints (any private network will do: 192.168.not 1 nor 2.0/24, 172.[16...31].x.0/24 10.x.y.0/24) and choose 2 values in this range for the RUT955 and RUTX11.

If IPSEC is not a prerequisite for you maybe you could consider using Wireguard, configuration is much simpler and performance is excellent.

Regards,
by anonymous
Hey there

Thanks for the reply and help so far it is appreciated.

Where would I enter the third network?

I can't see an option for Wireguard in the RUTX11 setup.
by anonymous
Hello,

Wireguard is not installed by default, from the UI go to Services->Package Manager and add it. Same on the other end.

Then the option Services->VPN->Wireguard will appear.

For the third network simply set the local endpoint of the RUT955 IPSEC interface to 172.16.1.1/32 and 172.16.1.2/32 for the RUTX11. So the configuration will be:

192.168.1.0/24 + 172.16.1.1 --------()--------- 172.16.1.2 + 192.168.2.0/24

If you choose to go this way I would also suggest using IKEv2 instead of IKEv1.

Regards,
by anonymous
Thank you so much flebourse for the help, I eventually got everything working over IPSEC
by anonymous
Glad for you.