FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
627 views 8 comments
by anonymous

Hello All:

When I issue the command "uci show strongswan" is get the following:

<snip>

strongswan.SOICCMP.leftfirewall='yes'

strongswan.SOICCMP.forceencaps='no'

strongswan.SOICCMP.dpdaction='restart'

strongswan.SOICCMP.closeaction='restart'

strongswan.SOICCMP.right='164.100.196.79'

strongswan.SOICCMP.allow_webui='1'

<snip>
But then when I look at the ipsec.conf:
 conn SOICC
leftid=keyid:CORS219
leftauth=psk
rightauth=psk
leftsubnet=2.2.2.219/32
right=A.B.C.D
rightid=keyid:CCrouter
keyexchange=ikev2
authby=secret
leftfirewall=yes
rightfirewall=no
auto=start
type=tunnel
aggressive=no
dpdaction=restart
dpddelay=30
dpdtimeout=30
forceencaps=no
keyingtries=%forever
ike=aes256-sha256-modp2048
ikelifetime=5h
esp=aes256-sha256-modp2048
keylife=4h
rightsubnet=1.1.1.10/32
You can see the absence of the "closeaction=restart" option.
Where has it gone? Why is it not there?
Here is my /etc/config/strongswan file:
config conn 'SOICC'
option enabled '1'
option keyexchange 'ikev2'
option ipsec_type 'tunnel'
option leftfirewall 'yes'
option forceencaps 'no'
option dpdaction 'restart'
        option closeaction 'restart'
option right 'A.B.C.D'
option allow_webui '1'
option ike_encryption_algorithm 'aes256'
option ike_authentication_algorithm 'sha256'
option ike_dh_group 'modp2048'
option esp_encryption_algorithm 'aes256'
option esp_hash_algorithm 'sha256'
option esp_pfs_group 'modp2048'
option keylife '4h'
option my_identifier 'keyid:CORS219'
option rightid 'keyid:CCrouter'
option rightfirewall 'no'
option dpddelay '30'
option dpdtimeout '30'
option ikelifetime '5h'
option auto 'start'
option auth 'psk'
list leftsubnet '2.2.2.219/32'
list rightsubnet '1.1.1.10/32'
option aggressive 'no'
So I have enabled the option, why is it not showing up in the /etc/ipsec.conf file after reboot?
Cheers,
John

2 Answers

0 votes
by anonymous

Hello,

I've looked at this issue and it seems like the UCI output in your initial post seems slightly off when comparing to the actual output when this custom option is configured. Could you try to do one of the following:

WebUI way:

Login to the router via WebUI, navigate to Services > VPN > IPsec, edit IPsec tunnel and in the custom options field, enter command in the following way:

 

Make sure to save the configuration. It should show up in the /etc/ipsec.conf after the tunnel reloads itself.


CLI way:

Alternatively, login to the router via CLI (SSH) and run the following commands:

uci del strongswan.SOICCMP.closeaction

uci set strongswan.SOICCMP.custom='closeaction=restart'

uci commit && reload_config && /etc/init.d/ipsec restart && sleep 5 && cat /etc/ipsec.conf | grep restart

This should configure the custom rule as intended and restart the IPsec tunnel immediately. Once the tunnel is restarted, it should show whether the rule was added to the ipsec.conf file.

Let me know if this works.

Best regards,

Tomas.

Best answer
by anonymous
I used the UCI interface, it worked perfectly.

Thank you,

cheers,

John
0 votes
by anonymous

Hi,

I've checked /etc/init.d/ipsec script and there's no support for closeaction option specifically.

To push this option into ipsec.conf  you need to config it as a custom option in /etc/config/ipsec

list custom 'closeaction=none'

e.g.: 

by anonymous
Hi....

I note that on my routers there is no /etc/config/ipsec. Do I need to create the file?

Cheers,

john
by anonymous
Which firmware version you're using?  Usually ipsec connections are configured in /etc/config/ipsec. You can try adding "list custom 'closeaction=none'" into your current config file, if it won't work then please provide troubleshoot file so I could look further into it.
by anonymous
FW version: RUT9XX_R_00.06.08.3
by anonymous

Hi, 

I've checked RUT9XX_R_00.06.08.3 FW and syntax is the same list custom 'closeaction=none'. The only difference is that config file is named strongswan instead of ipsec.

Does closeaction option appear in your ipsec.conf?

by anonymous
the closeaction=restart does not show up in /etc/ipsec.conf even though its in the /etc/config/strongswan file.

Cheers,

john
by anonymous
Hi, John,

Have you restarted ipsec service after changing modifying config file?

Could you share troubleshoot file from System -> Administration -> Troubleshoot, so I could further look into this issue?
by anonymous
I rebooted, yes.