7855 questions

9275 answers

14928 comments

12723 members

0 votes
44 views 1 comments
by
Hi all,

I've got a RUT955 that I'd like to connect as a client to an L2TP/IPSec server at my office. The server runs on a Mikrotik router. I realise that there is actually an official guide for this scenario, but I think it's based on slightly older SW/FW versions. I could possibly change my VPN server configuration to follow the guide exactly, but I'd prefer not to, as it's generally working fine as is.

Instead if doing all the manual IPSec server configuration that the guide explains, I simply just enabled the "Use IPSec" option when setting up the L2TP server on the Mikrotik, and specified a PSK secret. It works perfectly fine when connecting Android and Ubuntu clients, but for some reason I can't get the RUT to connect using IPSec.

On Android and Ubuntu, it "just works" – I can just enter the server domain address, user name/PW and PSK, leaving everything else blank/default, and it connects and pops up in the list of IPSec active peers on the Mikrotik. On the Teltonika, when attempting the same approach, it doesn't connect – when I run "ipsec status" it says "connecting", but never connects. There are a lot more settings to fill in on the Teltonika, and to be honest I don't really know what do to with them because I didn't have to configure any of this manually on the server or any other clients.

FWIW, the ipsec statusall output:

root@GlodRUT955:~# ipsec statusall                                                                                                            

Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.221, mips):                                                                         

  uptime: 87 seconds, since Aug 24 10:42:57 2021                                                                                              

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1                                                            

  loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kerne

l-netlink socket-default stroke vici updown xauth-generic                                                                                     

Listening IP addresses:                                                                                                                       

  10.188.2.1                                                                                                                                  

  192.168.43.199                                                                                                                              

Connections:                                                                                                                                  

     HQ-HQ_c:  %any...[MY.HQ.PUBL.IP]  IKEv1                                                                                                     

     HQ-HQ_c:   local:  uses pre-shared key authentication                                                                                    

     HQ-HQ_c:   remote: [[MY.HQ.PUBL.IP]] uses pre-shared key authentication                                                                     

     HQ-HQ_c:   child:  dynamic === dynamic TUNNEL                                                                                            

Security Associations (0 up, 1 connecting):                                                                                                   

     HQ-HQ_c[1]: CONNECTING, 192.168.43.199[%any]...[MY.HQ.PUBL.IP][%any]                                                                        

     HQ-HQ_c[1]: IKEv1 SPIs: 861ea465afbca83a_i* 0000000000000000_r                                                                           

     HQ-HQ_c[1]: Tasks queued: QUICK_MODE                                                                                                     

     HQ-HQ_c[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD                                           

root@GlodRUT955:~#                                                                                                                            

and for comparison, if it helps, here's the same from an Ubuntu workstation which connects successfully

gard@Gardomatic-P52s:~$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-81-generic, x86_64):

  uptime: 7 minutes, since Aug 24 12:43:49 2021

  malloc: sbrk 2703360, mmap 0, used 619728, free 2083632

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3

  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters

Listening IP addresses:

  10.188.2.201

  10.188.0.61

  172.16.8.97

Connections:

32c3fd58-8324-42c1-933a-2818ce6c50e0:  %any...[MY.HQ.PUBL.IP]  IKEv1

32c3fd58-8324-42c1-933a-2818ce6c50e0:   local:  [10.188.0.61] uses pre-shared key authentication

32c3fd58-8324-42c1-933a-2818ce6c50e0:   remote: uses pre-shared key authentication

32c3fd58-8324-42c1-933a-2818ce6c50e0:   child:  dynamic === dynamic[udp/l2f] TRANSPORT

Security Associations (1 up, 0 connecting):

32c3fd58-8324-42c1-933a-2818ce6c50e0[1]: ESTABLISHED 7 minutes ago, 10.188.0.61[10.188.0.61]... [MY.HQ.PUBL.IP][192.168.10.201]

32c3fd58-8324-42c1-933a-2818ce6c50e0[1]: IKEv1 SPIs: 89dce1dce7bbb073_i* 119cdd83d13fb8f2_r, pre-shared key reauthentication in 2 hours

32c3fd58-8324-42c1-933a-2818ce6c50e0[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

FYI, 10.188.0.0/24 is my HQ subnet, 10.188.2.0/24 is my remote (Teltonika) subnet, the VPN server's pool of virtual IPs is 172.16.8.10-.99.

Any clues on how to figure out this? Apparently both the RUT and my workstation uses Strongswan, and the workstation connects, so it "should" work.

1 Answer

0 votes
by

Hello,

Please refer to this guide: https://wiki.teltonika-networks.com/view/L2TP_over_IPsec

There is an example on how to set up L2TP over IPsec client over IPsec,. You have mentioned that you want to connect your RUT955 as a client, so you can follow half of the guide.

Regards.

by
Thanks! That got me closer, I realised that one rather fundamental mistake I made was that I'd set it to "tunnel" on the RUT when it should have been "transport".

I also found that on the Ubuntu client, apparently the Phase1 algorithms are set to aes128-sha256-modp1024 and Phase2 are aes128-sha256, so I set those correspondingly on the RUT (using "No PFS" on Phase2).

Curiously enough, ipsec status now says 0 up, 0 connecting:

Connections:                                                               

     HQ-HQ_c:  %any...[MY.HQ.PUBL.IP] IKEv1                                  

     HQ-HQ_c:   local:  [10.188.0.136] uses pre-shared key authentication  

     HQ-HQ_c:   remote: [[MY.HQ.PUBL.IP]] uses pre-shared key authentication  

     HQ-HQ_c:   child:  dynamic === dynamic TRANSPORT                      

Security Associations (0 up, 0 connecting):                                

 none

… not quite sure what to make of that.

EDIT: for what it's worth, L2TP (without IPSec) works just fine with no problems, if that makes any difference.