FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
629 views 9 comments
by anonymous

Hello,

I have 2 x RUT240, recently acquired (FW: RUT2_R_00.07.01.4 - updated by myself) and I tried to create an IPSEC Tunnel. I used the configuration example, found it here, https://wiki.teltonika-networks.com/view/IPsec_configuration_examples. I have on the left side LAN IP 192.168.1.0/24 and on the right side LAN IP 192.168.6.0/24. The mobile wan IP's are public IP's (I read on previous question that it was an issue having one public IP and the other dynamic IP). I noticed that the tunnel is not installing...meaning that when I do #ipsec status, I'm receiving only...

root@Teltonika-RUT240:~# ipsec status 



Security Associations (1 up, 0 connecting):

SONDA6-SONDA6_c[1]: ESTABLISHED 4 minutes ago, 93.XXX.XXX.XXX[192.168.1.1]...93.XXX.XXX.XXX[192.168.6.1]

for left side and for right side I get same answer...



root@Teltonika-RUT240:~# ipsec status

Security Associations (1 up, 0 connecting):

SCADA-SCADA_c[2]: ESTABLISHED 34 minutes ago, 93.XXX.XXX.XXX[192.168.6.1]...93.XXX.XXX.XXX[192.168.1.1]

When I do #ipsec statusall, I get something like that...(on both sides)...



root@Teltonika-RUT240:~# ipsec statusall

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, mips):

uptime: 47 minutes, since Mar 13 19:16:03 2022

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4

loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem

openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown xauth-generic

Virtual IP pools (size/online/offline):

192.168.1.1: 1/0/0

Listening IP addresses:

192.168.6.1

fddc:c179:5d94::1

93.122.190.96

Connections:

SCADA-SCADA_c: 0.0.0.0/0,::/0...93.122.188.119 IKEv1

SCADA-SCADA_c: local: [192.168.6.1] uses pre-shared key authentication

SCADA-SCADA_c: remote: [192.168.1.1] uses pre-shared key authentication

SCADA-SCADA_c: child: 192.168.6.0/24 === 192.168.1.0/24 TUNNEL

Security Associations (1 up, 0 connecting):

SCADA-SCADA_c[2]: ESTABLISHED 46 minutes ago, 93.122.190.96[192.168.6.1]...93.122.188.119[192.168.1.1]

SCADA-SCADA_c[2]: IKEv1 SPIs: 82e82f142140efa6_i 1740f17b6497c993_r*, pre-shared key reauthentication in 7 hours

SCADA-SCADA_c[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

SCADA-SCADA_c[2]: Tasks queued: QUICK_MODE

Any hints? What should I check more?

1 Answer

0 votes
by anonymous
Hello,

Could you post a full ipsec statusall from both sides ? No INSTALLED tunnels appear in the output.

Regards,
by anonymous

Here it is...it looks, almost, the same...



root@Teltonika-RUT240:~# ipsec statusall

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, mips):

uptime: 74 minutes, since Mar 13 19:16:36 2022

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4

loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem

openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown xauth-generic

Virtual IP pools (size/online/offline):

192.168.6.1: 1/0/0

Listening IP addresses:

93.122.188.119

192.168.1.1

fd1f:7f85:8e59::1

Connections:

SONDA6-SONDA6_c: 0.0.0.0/0,::/0...93.122.190.96 IKEv1

SONDA6-SONDA6_c: local: [192.168.1.1] uses pre-shared key authentication

SONDA6-SONDA6_c: remote: [192.168.6.1] uses pre-shared key authentication

SONDA6-SONDA6_c: child: 192.168.1.0/24 === 192.168.6.0/24 TUNNEL

Security Associations (1 up, 0 connecting):

SONDA6-SONDA6_c[1]: ESTABLISHED 73 minutes ago, 93.122.188.119[192.168.1.1]...93.122.190.96[192.168.6.1]

SONDA6-SONDA6_c[1]: IKEv1 SPIs: 82e82f142140efa6_i* 1740f17b6497c993_r, pre-shared key reauthentication in 6 hours

SONDA6-SONDA6_c[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

SONDA6-SONDA6_c[1]: Tasks queued: QUICK_MODE

by anonymous
Sorry the output is unreadable at least for me try to use Paragraph format/Formatted for the results.
by anonymous
Security associations appear in the status but no ESTABLISHED tunnel. Would it be possible to see the logs from both ends ?
by anonymous


root@Teltonika-RUT240:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, mips):
uptime: 47 minutes, since Mar 13 19:16:03 2022
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem

 

openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown xauth-generic
Virtual IP pools (size/online/offline):
192.168.1.1: 1/0/0
Listening IP addresses:
192.168.6.1
fddc:c179:5d94::1
93.122.190.96
Connections:
SCADA-SCADA_c: 0.0.0.0/0,::/0...93.122.188.119 IKEv1
SCADA-SCADA_c: local: [192.168.6.1] uses pre-shared key authentication
SCADA-SCADA_c: remote: [192.168.1.1] uses pre-shared key authentication
SCADA-SCADA_c: child: 192.168.6.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
SCADA-SCADA_c[2]: ESTABLISHED 46 minutes ago, 93.122.190.96[192.168.6.1]...93.122.188.119[192.168.1.1]
SCADA-SCADA_c[2]: IKEv1 SPIs: 82e82f142140efa6_i 1740f17b6497c993_r*, pre-shared key reauthentication in 7 hours

SCADA-SCADA_c[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

SCADA-SCADA_c[2]: Tasks queued: QUICK_MODE

root@Teltonika-RUT240:~# ipsec statusall

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, mips):

uptime: 74 minutes, since Mar 13 19:16:36 2022

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4

loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem

openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown xauth-generic

Virtual IP pools (size/online/offline):

192.168.6.1: 1/0/0

Listening IP addresses:

93.122.188.119

192.168.1.1

fd1f:7f85:8e59::1

Connections:

SONDA6-SONDA6_c: 0.0.0.0/0,::/0...93.122.190.96 IKEv1

SONDA6-SONDA6_c: local: [192.168.1.1] uses pre-shared key authentication

SONDA6-SONDA6_c: remote: [192.168.6.1] uses pre-shared key authentication

SONDA6-SONDA6_c: child: 192.168.1.0/24 === 192.168.6.0/24 TUNNEL

Security Associations (1 up, 0 connecting):

SONDA6-SONDA6_c[1]: ESTABLISHED 73 minutes ago, 93.122.188.119[192.168.1.1]...93.122.190.96[192.168.6.1]

SONDA6-SONDA6_c[1]: IKEv1 SPIs: 82e82f142140efa6_i* 1740f17b6497c993_r, pre-shared key reauthentication in 6 hours

SONDA6-SONDA6_c[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

SONDA6-SONDA6_c[1]: Tasks queued: QUICK_MODE

by anonymous

Please try with IKEv2 instead of IKEv1. You should have something like:

Connections:
   ikev2-vpn:  %any...xxx  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [C=FR, O=xx, CN=xxx] uses public key authentication
   ikev2-vpn:    cert:  "C=FR, O=xx, CN=xxx"
   ikev2-vpn:   remote: [xxx] uses public key authentication
   ikev2-vpn:   child:  dynamic === 172.31.254.0/24 TUNNEL, dpdaction=restart
Routed Connections:
   ikev2-vpn{1}:  ROUTED, TUNNEL, reqid 1
   ikev2-vpn{1}:   192.168.8.199/32 === 172.31.254.0/24
Security Associations (1 up, 0 connecting):
   ikev2-vpn[1]: ESTABLISHED 8 minutes ago, 192.168.8.199[C=FR, O=xx, CN=xxx]...xxx[yyy]
   ikev2-vpn[1]: IKEv2 SPIs: 6a63f6f51337ac8f_i* 50e5dad5a634d41d_r, public key reauthentication in 2 hours
   ikev2-vpn[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
   ikev2-vpn{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0c4a563_i cfc79412_o
   ikev2-vpn{2}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 840 bytes_o (10 pkts, 24s ago), rekeying in 36 minutes
   ikev2-vpn{2}:   172.31.254.17/32 === 172.31.254.0/24

Here you have INSTALLED, TUNNEL line. Take the logs from logread.

by anonymous
NO success...

Do you want the logs from Administration -> Troubleshoot -> System Log...?
by anonymous
Yes, from both ends.
by anonymous
I attached the  .tar files from both ends..
by anonymous
Thank you, but I can't access them. Maybe you can try to send me a private message (click on my pseudo) that won't probably work I have been put in the "Approved Users" list and the link seems to have disappeared ...