Hi all,
I've got a RUT955 that I'd like to connect as a client to an L2TP/IPSec server at my office. The server runs on a Mikrotik router. I realise that there is actually an official guide for this scenario, but I think it's based on slightly older SW/FW versions. I could possibly change my VPN server configuration to follow the guide exactly, but I'd prefer not to, as it's generally working fine as is.
Instead if doing all the manual IPSec server configuration that the guide explains, I simply just enabled the "Use IPSec" option when setting up the L2TP server on the Mikrotik, and specified a PSK secret. It works perfectly fine when connecting Android and Ubuntu clients, but for some reason I can't get the RUT to connect using IPSec.
On Android and Ubuntu, it "just works" – I can just enter the server domain address, user name/PW and PSK, leaving everything else blank/default, and it connects and pops up in the list of IPSec active peers on the Mikrotik. On the Teltonika, when attempting the same approach, it doesn't connect – when I run "ipsec status" it says "connecting", but never connects. There are a lot more settings to fill in on the Teltonika, and to be honest I don't really know what do to with them because I didn't have to configure any of this manually on the server or any other clients.
FWIW, the ipsec statusall output:
root@GlodRUT955:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.221, mips):
uptime: 87 seconds, since Aug 24 10:42:57 2021
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kerne
l-netlink socket-default stroke vici updown xauth-generic
Listening IP addresses:
10.188.2.1
192.168.43.199
Connections:
HQ-HQ_c: %any...[MY.HQ.PUBL.IP] IKEv1
HQ-HQ_c: local: uses pre-shared key authentication
HQ-HQ_c: remote: [[MY.HQ.PUBL.IP]] uses pre-shared key authentication
HQ-HQ_c: child: dynamic === dynamic TUNNEL
Security Associations (0 up, 1 connecting):
HQ-HQ_c[1]: CONNECTING, 192.168.43.199[%any]...[MY.HQ.PUBL.IP][%any]
HQ-HQ_c[1]: IKEv1 SPIs: 861ea465afbca83a_i* 0000000000000000_r
HQ-HQ_c[1]: Tasks queued: QUICK_MODE
HQ-HQ_c[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
root@GlodRUT955:~#
and for comparison, if it helps, here's the same from an Ubuntu workstation which connects successfully
gard@Gardomatic-P52s:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-81-generic, x86_64):
uptime: 7 minutes, since Aug 24 12:43:49 2021
malloc: sbrk 2703360, mmap 0, used 619728, free 2083632
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
10.188.2.201
10.188.0.61
172.16.8.97
Connections:
32c3fd58-8324-42c1-933a-2818ce6c50e0: %any...[MY.HQ.PUBL.IP] IKEv1
32c3fd58-8324-42c1-933a-2818ce6c50e0: local: [10.188.0.61] uses pre-shared key authentication
32c3fd58-8324-42c1-933a-2818ce6c50e0: remote: uses pre-shared key authentication
32c3fd58-8324-42c1-933a-2818ce6c50e0: child: dynamic === dynamic[udp/l2f] TRANSPORT
Security Associations (1 up, 0 connecting):
32c3fd58-8324-42c1-933a-2818ce6c50e0[1]: ESTABLISHED 7 minutes ago, 10.188.0.61[10.188.0.61]... [MY.HQ.PUBL.IP][192.168.10.201]
32c3fd58-8324-42c1-933a-2818ce6c50e0[1]: IKEv1 SPIs: 89dce1dce7bbb073_i* 119cdd83d13fb8f2_r, pre-shared key reauthentication in 2 hours
32c3fd58-8324-42c1-933a-2818ce6c50e0[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
FYI, 10.188.0.0/24 is my HQ subnet, 10.188.2.0/24 is my remote (Teltonika) subnet, the VPN server's pool of virtual IPs is 172.16.8.10-.99.
Any clues on how to figure out this? Apparently both the RUT and my workstation uses Strongswan, and the workstation connects, so it "should" work.