WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

TRB140 Ipsec own certificate

0 votes
304 views 1 comments
by anonymous
Dear All,

I have bought Trb140, prepared certificate in my own CA, import certificate and key (also ca certificate) to device and configure rest. I have also import certificate on draytek (i want site-to-site vpn) and nothing, i cant do it. When i set up vpn with pre-shared Key everything was ok. Is it possible to do ipsec with own certificate? I don't want to use openvpn, it has to be ipsec with x509.

Thank you for your time.

2 Answers

0 votes
by anonymous
Hello,

I use IPSEC with X509 self-signed certificates without issues. What do you have in the logs ?

Regards,
0 votes
by anonymous
My logs:

Mon May 31 15:09:49 2021 authpriv.info ipsec_starter[19112]: Starting strongSwan 5.8.0 IPsec [starter]...

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 3.18.20-msm, armv7l)

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[CFG] loading secrets from '/var/ipsec/ipsec.secrets'

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[CFG]   loaded RSA private key from '/etc/certificates/vending_key.pem'

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[LIB] loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown xauth-generic

Mon May 31 15:09:49 2021 daemon.info ipsec: 00[JOB] spawning 16 worker threads

Mon May 31 15:09:49 2021 authpriv.info ipsec_starter[19112]: charon (19114) started after 720 ms

Mon May 31 15:09:49 2021 daemon.info ipsec: 05[CFG] received stroke: add ca 'vending'

Mon May 31 15:09:49 2021 daemon.info ipsec: 05[CFG]   loaded ca certificate "C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX, E=xx@xxx" from '/etc/certificates/cacert.pem'

Mon May 31 15:09:49 2021 daemon.info ipsec: 05[CFG] added ca 'cacert'

Mon May 31 15:09:49 2021 daemon.info ipsec: 07[CFG] received stroke: add connection 'vending-vending_c'

Mon May 31 15:09:49 2021 daemon.info ipsec: 07[CFG]   loaded certificate "C=XX, ST=XX, O=XX, OU=XX, CN=vc4.x.x, E=xx@xxx" from '/etc/certificates/vending_server.pem'

Mon May 31 15:09:49 2021 daemon.info ipsec: 07[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=XX, ST=XX, O=XX, OU=XX, CN=vc4.x.x, E=xx@xxx'

Mon May 31 15:09:49 2021 daemon.info ipsec: 07[CFG] added configuration 'vending-vending_c'

Mon May 31 15:09:49 2021 daemon.info ipsec: 09[CFG] received stroke: initiate 'vending-vending_c'

Mon May 31 15:09:49 2021 daemon.info ipsec: 09[IKE] initiating IKE_SA vending-vending_c[1] to 1xx.xx.xx.xx

Mon May 31 15:09:49 2021 authpriv.info ipsec: 09[IKE] initiating IKE_SA vending-vending_c[1] to 1xx.xx.xx.xx

Mon May 31 15:09:49 2021 daemon.info ipsec: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

Mon May 31 15:09:49 2021 daemon.info ipsec: 09[NET] sending packet: from 10x.x.x.x[500] to 1xx.xx.xx.xx[500] (734 bytes)

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[NET] received packet: from 1xx.xx.xx.xx[500] to 10x.x.x.x[500] (229 bytes)

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) ]

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[IKE] local host is behind NAT, sending keep alives

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[IKE] sending cert request for "C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX, E=xx@xxx"

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[IKE] authentication of 'C=XX, ST=XX, O=XX, OU=XX, CN=vc4.x.x, E=xx@xxx' (myself) with RSA signature successful

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[IKE] sending end entity cert "C=PL, ST=Slaskie, O=InstantaPL, OU=IT InstantaPL, CN=vc4.x.x, E=xx@xxx"

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[IKE] establishing CHILD_SA vending-vending_c{1}

Mon May 31 15:09:50 2021 authpriv.info ipsec: 11[IKE] establishing CHILD_SA vending-vending_c{1}

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

Mon May 31 15:09:50 2021 daemon.info ipsec: 11[NET] sending packet: from 10x.x.x.x[4500] to 1x.x.x.x[4500] (2080 bytes)

Mon May 31 15:09:54 2021 daemon.info ipsec: 13[IKE] retransmit 1 of request with message ID 1

Mon May 31 15:09:54 2021 daemon.info ipsec: 13[NET] sending packet: from 10x.x.x.x[4500] to 1x.x.x.x[4500] (2080 bytes)

It is trying 5 times and then start from the beginning.

Thank you.
by anonymous

Looks correct up to "generating IKE_AUTH request 1...." and the SA is not established. What do you have in the server's logs at this time ?