Question

Im trying to setup a IPSEC connection using UCI, but I'm running into some issues.

When i manually add the connection via the webinterface, everything works as expected. However, when i apply the same settings via UCI, it shows up correctly in the web interface, and i can enable it, but it doesn't connect.

I think i may have to apply some firewall rules / redirects as well, but i can't figure out which ones. ( im a programmer, not a networking expert )

Does anyone know what other settings i need to apply to make the IPSEC connection work, using only UCI to configure everything?

Comments

I have the exact same issue after applying a ipsec config through uci.

Output of the "ipsec statusall":

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, armv7l):

  uptime: 5 seconds, since Sep 21 16:28:09 2022

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0

  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic

Listening IP addresses:

  10.179.255.138

  10.101.99.2

  fdd9:69f:832d::1

Connections:

Security Associations (0 up, 0 connecting):

  none

Did you ever get this issue resolved?

Answer 1

Hello, 

Regarding creating a ipsec tunnel using UCI you can refer to this: 
 

uci set ipsec.Jerome=remote
uci set ipsec.Jerome.crypto_proposal='Jerome_ph1'
uci set ipsec.Jerome.gateway='Jerome'
uci set ipsec.Jerome.authentication_method='psk'
uci set ipsec.Jerome.tunnel='Jerome_c'
uci set ipsec.Jerome.force_crypto_proposal='0'
uci set ipsec.Jerome.enabled='0'
uci set ipsec.Jerome.pre_shared_key='123123'
uci set ipsec.Jerome.local_identifier='RUT'
uci set ipsec.Jerome.remote_identifier='RUT1'
uci set ipsec.Jerome_c=connection
uci set ipsec.Jerome_c.crypto_proposal='Jerome_ph2'
uci set ipsec.Jerome_c.mode='start'
uci set ipsec.Jerome_c.type='tunnel'
uci set ipsec.Jerome_c.defaultroute='0'
uci set ipsec.Jerome_c.keyexchange='ikev1'
uci set ipsec.Jerome_c.forceencaps='no'
uci set ipsec.Jerome_c.local_firewall='yes'
uci set ipsec.Jerome_c.remote_firewall='no'
uci set ipsec.Jerome_c.force_crypto_proposal='0'
uci set ipsec.Jerome_c.local_subnet='192.168.10.0/24'
uci set ipsec.Jerome_c.remote_subnet='192.168.102.0/24'
uci set ipsec.Jerome_c.ikelifetime='8h'
uci set ipsec.Jerome_c.lifetime='8h'
uci set ipsec.Jerome_ph1=proposal
uci set ipsec.Jerome_ph1.encryption_algorithm='aes128'
uci set ipsec.Jerome_ph1.hash_algorithm='sha1'
uci set ipsec.Jerome_ph1.dh_group='modp1536'
uci set ipsec.Jerome_ph2=proposal
uci set ipsec.Jerome_ph2.encryption_algorithm='aes128'
uci set ipsec.Jerome_ph2.hash_algorithm='sha1'
uci set ipsec.Jerome_ph2.dh_group='modp1536'

uci commit ipsec                          -> commit changes
/etc/init.d/ipsec restart                 -> restart the service

Note: Each parameter values much meet with your IPSec Server in order to make a successful connection 

For more information about these UCI commands you may refer to this link: UCI command usage - Teltonika Networks Wiki (teltonika-networks.com)

Also just keep in mind it is best to install the latest firmware available on our wiki page. 
RUTX11 Firmware Downloads - Teltonika Networks Wiki (teltonika-networks.com)

Regards,

Mellow

Answer 2

Hi Leon,

We've tried, but we couldn't get it to work the way we wanted it to. We settled on just applying the config manually through the web interface. I did have some calls with authorized resellers prior to this decision, but they also couldn't help us figure out the real issue.

However, did you try the newest firmware? I've read some interesting things in the changelogs since we tried this, it might just work nowadays.

Btw: if possible, try using wireguard instead of ipsec. We switched over a week ago, and never looked back. Much faster handshakes, connection speed, and easier to setup. We didn't try to configure it using UCI yet, but like I said before, it might just work this time. It's worth trying!

Best regards,

Michael

Comments

Thanks for your response. I have to do a large scale rollout of Rutx09 routers and being able to build/restore the device in a short timeframe is one of the requirements. I cannot switch to wireguard since the hq vpn device is a Fortigate firewall. I’m already running on the latest firmware, so no fix in that area unfortunately.