7106 questions

8497 answers

13758 comments

10494 members

0 votes
180 views 21 comments
by
Hi,

Trying to configure a Route Based VPN with RUTX router and Sonicwall. (instead of policy based)

I am trying to follow the steps here:

https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN

The VPN is established with 0.0.0.0/32 local and remote but I cannot create the tunnel interface discussed in the guide.

When creating the VTI with

root@Teltonika-RUTX11:~# ip tunnel add ipsec0 mode vti local 192.168.70.4 remote 192.168.70.3 key 42

add tunnel "ip_vti0" failed: No such device

Has anybody successfully created a Route Based VPN with RUTX router?

Thanks

1 Answer

0 votes
by

Hello,

We do have an instruction on how to configure IPsec between Sonicwall device and our devices. You may find useful information here: https://kaunas.teltonika.lt:444/f/26dd8c994ee74cfd80ea/?dl=1

I would recommend configuring IPsec in a regular way, then look it up from here.

Regards.

by
Hello,

Thanks for the instant response. I can happily establish a policy based VPN like the one in your information. My difficulty is doing so with a tunnel interface.

Like would be acheived here:

https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-tunnel-interface-vpn-route-based-vpn-between-two-sonicwalls/170505880843761/

A tunnel interface will provide the routing failover redundancy that i am looking for.

Strongswan documentation suggests that a ip tunnel must be created using a VTI or XRFM and the traffic should be marked to identify it for the IPSEC and prevent all traffic being sent across IPSEC.

https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN

Thanks for your help
by

Hello,

Did you install kmod-ip-vti and/or kmod-ip6-vti ?

opkg update
opkg install kmod-ip-vti

and retry your ip tunnel add.

Regards,

by
Hello and thanks for this suggestion...

it seems to me that kmod-ip-vti is unsupported by the kernel version in the RUTX router

"root@Teltonika-RUTX11:~# opkg info kmod-ip-vti

Package: kmod-ip-vti

Version: 4.14.195-1

Depends: kernel (= 4.14.195-1-fa00c1231ac7d7840ec6ffe62dcad926), kmod-iptunnel, kmod-iptunnel4, kmod-ipsec4

Status: unknown ok not-installed

Section: kernel

Architecture: arm_cortex-a7_neon-vfpv4

Size: 6335

Filename: kmod-ip-vti_4.14.195-1_arm_cortex-a7_neon-vfpv4.ipk

Description: Kernel modules for IP VTI (Virtual Tunnel Interface)

root@Teltonika-RUTX11:~# opkg info kernel

Package: kernel

Version: 4.14.195-1-4f95bbf1fd18f3b806c24a2093e88342

Depends: libc

Status: install user installed

Architecture: arm_cortex-a7_neon-vfpv4

Installed-Time: 1599409179"

Would it be possible to mark the packets in another way?
by
It seems that something doesn't add up in version 02.06.1 or the 02.06.1 SDK, I have a similar issue with a custom-built package I'll try try to build a kmod-ip-vti tomorrow just to see what is wrong.

Regards,
by
Ok, thanks for your assistance
by

I have built a kmod-ip-vti ipk for version 02.06.1 but the installation fails I have a kernel signature mismatch;

Package: kmod-ip-vti
Version: 4.14.195-1
Depends: kernel (=4.14.195-1-cc490b4b31423a209a0b9c96321bc0b2), kmod-iptunnel, kmod-iptunnel4, kmod-ipsec4

Looks like the 02.06.1 firmware and the 02.06.1 SDK are not in sync. Or I have botched something.

Regards,

by
Hi Flebourse,

Thanks again for looking at this....

Are you suggesting that if i downgrade the RUTX to ver 2.03.1 the installation might work? but your installation of 02.03.1 fails?

Thanks
by
Oops the build was for version 02.06.1, sorry for the typo.

You might try to downgrade to version 02.06, no guarantee however and I can't check because I haven't kept the corresponding SDK.

Anyway, I must solve this mismatch I need it for a custom module.

Regards,
by
You can try "opkg --force-depends install kmod-ip-vti"

Regards,
by

Thanks for this suggestion....

I tried this and the router just immediately reboot and no package was installed when i checked:

opkg list-installed | grep vti

I have also downgraded to 2.05.1 and still same issue.
by
I'll open a ticket about the SDK tomorrow just in case. But I suspect I'll have to rebuild the whole firmware to workaroud the issue.

Regards,
by
I just notice that when going from version 1.06 to 2.00.1 there was a great deal of updates.

https://wiki.teltonika-networks.com/view/RUTX11_Firmware_Downloads

What is the process of downgrading the version to 1.0x?

It is a img file not a bin.

Thanks
by
I don't know about version 1.x but I suspect it won't help much to go this far.

I have the answer for the kmod-ip-vti, neither the openwrt.org nor the SDK can provide compatible modules you have to generate and reflash a full firmware image.

It is a little more surprising for the xfrm question you have submitted, both kmod-ipsec and kmod-ipsec4 are in list-installed.

Regards,
by
Hi Flebourse,

Based on your comments and in your opinion would this mean that the next firmware released by Teltonika for the RUTX router would resolve this issue? Or should I raise this issue with Teltonika directly?. I think it would make the the Router more functional to be able to perform route based VPN.

Thanks for your input
by
I already have raised the issue, maybe it will be included in a future version. But better to talk to your sales manager if you have one (I don't).

For the moment the solution is to do a full rebuild using the SDK, with the kmod-ip-vti option selected (*, not M).

Regards,
by

Hi Flebourse,

Now that KMOD-IP-VTI is loaded and VTI interfaces are now working. I am having another issue:

I have created a tunnel with 0.0.0.0/0 on both sides and marked with "100"

root@Teltonika-RUTX11:~# uci show ipsec

ipsec.@ipsec[0]=ipsec

ipsec.@ipsec[0].rtinstall_enabled='0'

ipsec.ATI=remote

ipsec.ATI.crypto_proposal='ATI_ph1'

ipsec.ATI.gateway='*************'

ipsec.ATI.authentication_method='psk'

ipsec.ATI.pre_shared_key='***********'

ipsec.ATI.tunnel='ATI_c'

ipsec.ATI.force_crypto_proposal='0'

ipsec.ATI.enabled='1'

ipsec.ATI.local_identifier='*************'

ipsec.ATI.remote_identifier='************'

ipsec.ATI_c=connection

ipsec.ATI_c.crypto_proposal='ATI_ph2'

ipsec.ATI_c.type='tunnel'

ipsec.ATI_c.defaultroute='0'

ipsec.ATI_c.keyexchange='ikev1'

ipsec.ATI_c.aggressive='yes'

ipsec.ATI_c.forceencaps='no'

ipsec.ATI_c.remote_firewall='no'

ipsec.ATI_c.ikelifetime='3h'

ipsec.ATI_c.force_crypto_proposal='0'

ipsec.ATI_c.lifetime='1h'

ipsec.ATI_c.local_subnet='0.0.0.0/0'

ipsec.ATI_c.remote_subnet='0.0.0.0/0'

ipsec.ATI_c.custom='mark=100'

ipsec.ATI_c.local_firewall='no'

ipsec.ATI_c.mode='route'

ipsec.ATI_ph1=proposal

ipsec.ATI_ph1.encryption_algorithm='aes128'

ipsec.ATI_ph1.hash_algorithm='sha1'

ipsec.ATI_ph1.dh_group='modp1536'

ipsec.ATI_ph2=proposal

ipsec.ATI_ph2.encryption_algorithm='aes128'

ipsec.ATI_ph2.hash_algorithm='sha1'

ipsec.ATI_ph2.dh_group='modp1536'

root@Teltonika-RUTX11:~#

Secondly disabled the routing 

ipsec.@ipsec[0].rtinstall_enabled='0'

Tunnel is up and established:

Connections:

   ATI-ATI_c:  %any...*******  IKEv1 Aggressive

   ATI-ATI_c:   local:  [*****] uses pre-shared key authentication

   ATI-ATI_c:   remote: [*******] uses pre-shared key authentication

   ATI-ATI_c:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL

Security Associations (1 up, 0 connecting):

   ATI-ATI_c[16]: ESTABLISHED 97 minutes ago, 10.213.147.30[***]...*******[*******]

   ATI-ATI_c[16]: IKEv1 SPIs: 62c4a2888a193fcc_i* 5351f025072c4252_r, pre-shared key reauthentication in 69 minutes

   ATI-ATI_c[16]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

   ATI-ATI_c{6}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c9e2db33_i e3b84dc9_o

   ATI-ATI_c{6}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 39 minutes

   ATI-ATI_c{6}:   0.0.0.0/0 === 0.0.0.0/0

root@Teltonika-RUTX11:~#

Then created the tunnel interface and marked with "100"

ip link add ipsec0 type vti local 192.168.12.7 remote 0.0.0.0 key 100

ip link set ipsec0 up

ip addr add 192.168.12.7/29 dev ipsec0

I am not getting traffic across and counters suggest errors:

root@Teltonika-RUTX11:~# ip -s tunnel show ipsec0

ipsec0: ip/ip remote any local 192.168.12.7 ttl inherit nopmtudisc key 100

RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts

    0          0            0      0        0        0

TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs

    0          0            83     0        83       0

root@Teltonika-RUTX11:~#

Am i missing something?

Thanks

by
Glad to see you were able to build a version including kmod-ip-vti.

What is the result if you add a route, something like "ip route add 0.0.0.0/0 dev ipsec0" ?

What is the output of "ip route show" ?

What is the output of "tcpdump -i any -n -v 'icmp'" ? Do you have ICMP unreachable error packets ?
by

Ok so now it is working...

i added the VTI4 package

Then recreated the VTI this time adding the WAN addresses to the local remote:

ip tunnel add vti1 mode vti local ******** remote ***** key 100

ip link set up vti1

ip addr add 192.168.12.7/29 dev vti1

Then

sysctl -w net.ipv4.conf.vti1.rp_filter=0

sysctl -w net.ipv4.conf.vti1.disable_policy=1

Then 

ipsec restart

This was quite helpful...

https://www.youtube.com/watch?v=HDqAl_PozCU

Thanks for all your help and speedy responses

by

Kudos for vtiv4, next time add it to the SDK also:

scripts/feeds install vtiv4

and enable it in make menuconfig.

by

I cant seen to get the updown script to be found when ipsec is stablished. I need this to program the tunnel settings

when setting in ipsec.conf

leftupdown=/etc/ud.sh

logread shows after successful ipsec connection

Tue May 18 13:46:45 2021 daemon.info ipsec: 07[CHD] updown: /bin/sh: /etc/ud.sh: not found

i know the file is there because i can vi straight to it.

Should this work like this?

by
/etc/ud.sh must be executable: chmod +x /etc/ud.sh