8298 questions

9762 answers

15547 comments

13865 members

0 votes
132 views 6 comments
by
I am trying to configure a L2TP over IPsec connection on RUT240.
FW Ver 00.01.14.1

I followed the WIKI configuration examples precisely.

System log has multiple entries like these

Sun Aug 15 18:59:47 2021 daemon.info ipsec: 07[CFG] received stroke: initiate 'remoteacc'

Sun Aug 15 18:59:47 2021 daemon.info ipsec: 07[IKE] unable to resolve %any, initiate aborted

Sun Aug 15 18:59:47 2021 daemon.info ipsec: 07[MGR] tried to checkin and delete nonexisting IKE_SA

I tried changing the pre-shared key, deleting key, rebooting. Always similar entries in system log.
These reoccure every 30 seconds and are not related to any connection attempts.
I tried replacing "%any" with the actual IP of the connecting client, the error remains the same
by

I did some more poking around.
I deleted IPsec Configuration and created a new one (name ipsTardis).
I deleted and added the presharedkey.
I deleted and recreated L2TP Configuration (name mobile).
The error in the log remains the same:
daemon.info ipsec: 07[IKE] unable to resolve %any, initiate aborted
Changing the parameter "Secret's ID Selector" to the actual IP of the client also leads to
daemon.info ipsec: 07[IKE] unable to resolve %any, initiate aborted

"Secret's ID Selector" is now set to %any

Manually starting the ipsec service from cli leads to log below.
Any help is greatly appreciated!

Tue Aug 17 16:13:40 2021 authpriv.info ipsec_starter[23377]: Starting strongSwan 5.6.2 IPsec [starter]...

Tue Aug 17 16:13:40 2021 daemon.err modprobe: ah4 is already loaded

Tue Aug 17 16:13:40 2021 daemon.err modprobe: esp4 is already loaded

Tue Aug 17 16:13:40 2021 daemon.err modprobe: ipcomp is already loaded

Tue Aug 17 16:13:40 2021 daemon.err modprobe: xfrm4_tunnel is already loaded

Tue Aug 17 16:13:40 2021 daemon.err modprobe: xfrm_user is already loaded

Tue Aug 17 16:13:40 2021 daemon.info ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.18.44, mips)

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[CFG]   loaded IKE secret for %any

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[LIB] loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-netlink resolve socket-default stroke updown xauth-generic

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 00[JOB] spawning 16 worker threads

Tue Aug 17 16:13:41 2021 authpriv.info ipsec_starter[23396]: charon (23397) started after 400 ms

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 05[CFG] received stroke: add connection 'ipsTardis'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 05[CFG] added configuration 'ipsTardis'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 05[CFG] received stroke: initiate 'ipsTardis'

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 05[IKE] unable to resolve %any, initiate aborted

Tue Aug 17 16:13:41 2021 daemon.info ipsec: 05[MGR] tried to checkin and delete nonexisting IKE_SA

Tue Aug 17 16:13:42 2021 local1.info gsmd[5184]: gsmd send: 'AT+CREG?' (9)

Tue Aug 17 16:13:42 2021 local1.info gsmd[5184]: gsmd get: '+CREG: 2,1,"FFFE","140BA02",7' (29)

Tue Aug 17 16:13:42 2021 local1.info gsmd[5184]: gsmd send: 'AT+ICCID' (9)

Tue Aug 17 16:13:42 2021 local1.info gsmd[5184]: gsmd get: 'ICCID: xxxxxxxxxxxxxxxx' (27)

Tue Aug 17 16:13:42 2021 local1.notice fwblock[23444]: Started fwblock

Tue Aug 17 16:13:42 2021 local1.notice fwblock[23444]: Applying SSH blocks

Tue Aug 17 16:13:42 2021 local1.notice fwblock[23444]: Applying WebUI blocks

Tue Aug 17 16:13:42 2021 user.notice chilli: Stoping chilli.

Tue Aug 17 16:13:42 2021 user.notice chilli: Start

Tue Aug 17 16:14:11 2021 daemon.info ipsec: 09[CFG] received stroke: initiate 'ipsTardis'

Tue Aug 17 16:14:11 2021 daemon.info ipsec: 09[IKE] unable to resolve %any, initiate aborted

Tue Aug 17 16:14:11 2021 daemon.info ipsec: 09[MGR] tried to checkin and delete nonexisting IKE_SA

Tue Aug 17 16:14:24 2021 daemon.err dnsmasq[4962]: failed to send packet: Network is unreachable

Tue Aug 17 16:14:41 2021 daemon.info ipsec: 15[CFG] received stroke: initiate 'ipsTardis'

Tue Aug 17 16:14:41 2021 daemon.info ipsec: 15[IKE] unable to resolve %any, initiate aborted

Tue Aug 17 16:14:41 2021 daemon.info ipsec: 15[MGR] tried to checkin and delete nonexisting IKE_SA

2 Answers

0 votes
by
Hello,

May I know what device are you using on the other end? Also kindly make sure that the Phase 1 and Phase 2 configuration is matching in the other end to prevent conflicts. If everything is matched kindly share with me a copy of the troubleshoot file of the device.

Regards,
Mellow
by

Mellow, thank you for getting back to me.

The error reported in the log starts the moment a pre-shared key is entered in the IPsec section.
It does not matter whether the Secret's ID selector is "%any" or an actual IP, the error remains the same.
I feel the there is something strange in the pre-shared key selection implementation, because it is not related to any actual connection attempts.

The device I am trying to connect from is a android phone on android 10.
The app I use is VpnCilla.
This is working beautifully with my Fritzbox router, so I know a IPsec setup is working on the android side.
VpnCilla error log:
VpnCilla Version 3.7
Device: ONEPLUS A6013/OnePlus6T/sdk29/arm64-v8a||aarch64
Using vpnc version vpnc.arm64-v8a
Debug: CONNECTIVITY_CHANGE 18:22:30 state=CONNECTED type=WIFI activeNetInfo=[type: WIFI[], state: CONNECTED/CONNECTED, reason: (unspecified), extra: (none), failover: false, available: true, roaming: false] activeNetExtraInfo=null
WIFI CONNECTED
SSID: "XXXXXXXXX" -> starting VPN ...
VPN session 'xxx' initiated at 18:22:30 23-08-2021 to myservername.myddns.me (xxx.xx.xxx.209)
vpnc started by [./vpnc, --pid-file, , --script, /dev/null, --gateway, xxx.xx.xxx.209, --id, ipsTardis, --username, myusername, --no-detach, --ifname, vpncs, --ifmode, fd, --local-port, 0, --dpd-idle, 30, --natt-mode, natt, --debug, 1]
vpnc version 0.5.3-517-mjm4-
pre-init
no response from target
Fehler: Keine Antwort vom VPN Server 'myservername.myddns.me'
VPN session stopped at 18:22:45 23-08-2021
Reconnecting stopped (by user or severe error or reconnect mode off) - WIFI network is up and connected.

VpnCilla does not seem to give me a choice regarding encryption / authetication from the settings menu.
There is an option "vpnc flags" which gives an example "--enable-1des".
I have not yet found a full list of available options, this could be the right place to setup phase1/2 parameters.
 

Could you please check if the error from above (unable to resolve %any) is also present on your test setup?
I have also tried the latest firmware 1.14.3, same behavior.

Thank you for your help. Kind regards, Peter

by
Hi,

As mentioned I need to get a copy of the troubleshoot file of the RUT240 for checking. Just make sure you didn't reboot the device before taking the troubleshoot file.

Regards,
Mellow
0 votes
by

Hello.
 

Maybe it will help for you.

Yesterday I tried the VPN L2TP/IPsec and notice that it did not work if I used this '#symbol in L2TP user passwords. It can also did not work with other specials symbols: need to try. 

by
DVI, thank you for your advice. I do have a special character in my password.
Will change and report back!
by

I have reset the router to factory defaults as @Mellow has suggested and setup from scratch.
I now have a pre-shared key without any special characters as @DVI has suggested and for now I don't see any errors like "unable to resolve %any" , so this is progress.
I have heard back from the developer of the android app vpnzilla I am using to connect to my fritzbox router.
He told me that the app is not supporting IPsec, but not L2TP/IPsec.
Would anyone here be so kind as to suggest a Android app that is working to connect to a RUTxxx?

Thank you!

by
Hi psl86,
 

I think it should help:
https://community.teltonika-networks.com/4762/vpn-connection-on-android.

It worked for me with default Android's VPN feature.