WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

IPSec via wwan1, everything else via whatever.

0 votes
656 views 10 comments
by anonymous
I have a RUTX11 with dial modems, as far as I can see from the routing table, wwan0 is the first modem, and wwan1 is the second, this may be wrong.

Eitherway, I have an ipsec connection that I need to originate from wwan1 regardless. Other traffic can do its thing as normal and take either or both interfaces.

Not seeing a setting for this, but there may well be one somewhere, or at least there should be one somewhere on a dual wan device.

Thanks

Rich
by anonymous
Actually no.

MOB1S1A1 is the primary modem and metric 2

MOB2S1A1 is the secondary modem and metric 3

Yet...

default dev wwan1 proto static scope link src 100.65.103.178 metric 2
default dev wwan0 proto static scope link src 10.15.98.241 metric 3

and yet still, the metric 2 IP address is from the secondary modem not the primary one. So that makes no sense to me. FWIW failover and load balancing are both disabled.

So I still want to route my IPSec session via the SECONDARY MODEM, whichever interface that is by default. Everything else can just do what its doing.

2 Answers

0 votes
by anonymous

Hello, 

Let me understand your question a little more. You need the IPsec tunnel to be formed from a specific interface, correct? IPsec tunnels are not directly associated with an interface. In that case, you can create the tunnel from the interface you go out to the internet or the one you have configured as priority 1 to go out to the internet. 

On the other hand, I see that you have doubts about the RUTX11 mobile connection. The RUTX11 has only one modem, not two. It has two SIM slots because this allows switching between SIMs if there is connectivity failure on one. However, it is a single modem that is working at the time of connection. This will depend on which of your SIMs you have configured as Default. 

So if you only have one mobile connection, the IPsec tunnel will be established over that IP. If you have another internet connection (which may be wired through the WAN port). You have to check which interface you are using to connect to the internet. You can check this also with the ipsec status command via CLI. If you want to send all the traffic through the tunnel I leave you this link where another person had that requirement. 

https://community.teltonika-networks.com/22918/route-whole-traffic-through-ipsec-vpn?show=22918#q22918

If you only want to send certain traffic through the tunnel. You must configure static routes pointing to the tunnel.

by anonymous
Hi,

So actually I made a mistake here, its a RUTX12 (not 11), we have 11's and 12's and I just got it wrong so I apologise for that. It is specifically a RUTX1200. It does have two modem's, and both are up at the same time. There's two default routes, and I can manually set these routes (although I still don't understand the relationship between MOB?S1A1 and wwan?.

Regardless, I need my ipsec to ORIGINATE from MOB2S1A1 and everything else to follow the route table. I can of course just disable MOB1S1A1, establish the tunnel and then re-enable but the tunnel isn't reliable and falls over several times a day and has to be re-established.

So all I need to do is to tell ipsec what interface (and to understand how interfaces are associated with modem's) to use for the connection. I've already tried adding a static route to the VPN access ip but its ignored by ipsec when setting up the tunnel.
by anonymous

Hey, 

Why would you want to form the tunnel only from MOB2S1A1?. What benefit do you want to achieve with this? In the end, no matter which interfaces your IPsec tunnel connects to, it will connect your device to the server. 

In any case, you can go to the Network→Interfaces menu and place the MOB2S1A1 interface over MOB1S1A1. This will give the MOB2S1A1 interface priority over the other and the tunnel should be formed with this interface. If this does not work, you can try changing the routing table by ssh. You can use the route command to view the table and the commands ip route add 0.0.0.0.0/0 via XX.XX.XX.XX where XX.XX.XX.XX is the IP of the MOB2S1A1 interface.

0 votes
by anonymous

So this forum is terrible, I can't reply to any of the answers. Given that, this is a reply to the answer from

That may work, but both interfaces are dynamic, so I have no way to know what the IP of mob1s1a1 is going to be, and secondly, I don't want all traffic to go out on mob2s1a1. I want all traffic on mob1s1a1 and only ipsec traffic to be on mob2s1a1.

Also, I already tried adding a static route so that traffic to the VPN endpoint should have gone via interface wwan0 but that didn't work.

by anonymous

Hey, 

If you click the comment box, you can comment on the above answer. 

Can you first try changing the priority of the interfaces? As I mentioned above you should put the interface you want the tunnel to form on first. Then with the static route for the specific traffic to go through that interface. You can also try creating a traffic rule. You can do this through Network→Firewall→Traffic Rule. You can set from which interface, IP, or Mac address you want to send traffic to the IPsec tunnel IP.

by anonymous
I can only comment on 'some' answers, not all. There is no comment button for the latest answer which is frustrating.

Anyhoo, changing interface order, or indeed disabling the first does indeed work just fine, but, this doesn't do what I need. The first interface MOB1S1A1 is by far the fastest and provides the best connectivity, but, due to the ISP's filtering I cannot establish an IPSEC over this connection. MOB2S1A1 is slower by far but doesn't have any filtering and establishes an IPSEC just fine.

So, all traffic to go via MOB1... and just the IPSec over MOB2... is what I'm trying to achieve. I can of course route traffic over the ipsec (table 220) but what I can't seem to do is make IPSec use MOB2... as the originating interface specifically with everything else not. I should be able to use strongswan's install_virtual_ip_on / interfaces_use / interfaces_ignore options to do what I need, but this brings me back to the relationship between MOB1.... and wwan0/wwan1 that I posted at the start. IF wwan0 was always MOB1S1A1 then I could get there but as shown above its not that simple and I don't know how these wwanX get assigned to the modems?

I hope that makes sense?
by anonymous

Yes, it makes sense. However, that configuration is a bit more complicated. What you can do is to configure a DDNS with the MOB2 interface. This is because your IP is not static and will change. You can create a DDNS with the help of http://www.duckdns.org/. Here is our documentation for DDNS configuration. 

https://wiki.teltonika-networks.com/view/RUTX12_Dynamic_DNS

After you have configured the DDNS for this interface, you must configure the IPsec tunnel of the RUTX with the domain you have in the DDNS in the Local Identifier field. This way, you will always be able to set up the tunnel with this interface.

by anonymous
Thanks for the continued assistance, its greatly appreciated.

So both LTE providers use NAT and assign me an internal address (either 10./8 or 192.16/16 or 100./8) so DDNS isn't going to fix this for me since the public IP will never reach back to me. For this reason I'm not using IP to authenticate ipsec which works fine. The only part of this whole setup is getting ipsec to use the second modem to originate. To add to the challenge, this endpoint can be on the move, and as such the actual IP addresses assigned to the two modems will change periodically. So... what is the relationship between modem 1 and modem 2 and wwan0 and wwan1. Is there any direct relationship that's deterministic or is it just whichever modem comes up first gets wwan0 ? Can I force wwan0 to be the first modem? if I can get stable interface<->modem then I can probably do the rest using strongswan's config files.

Thanks as always

Rich
by anonymous
There is no relationship between the modems and the wwan0 and wwan1 interfaces. As I mentioned before, the wwan0 interface will be the default mobile interface with the highest priority. This makes this configuration more complicated. You could try setting up an IPsec tunnel with GRE which will be directly associated with the interface you choose.
by anonymous
Ah, well it doesn't seem to be that way. In my testing I find that wwan0 can be either primary or secondary. e.g.

default dev wwan1 proto static scope link src 100.65.103.178 metric 2
default dev wwan0 proto static scope link src 10.15.98.241 metric 3

10.15.98.241 is the Primary Modem SIM and 100.65.103.178 is the Secondary. The order is Primary first.

It appears that the actual allocation of these does depend on the order in which connectivity is established, and it changes since modem's in the RUTX12 seem to crash periodically and need to be re-initialised (and of course it still suffers from one of the modems dissappearing and not being detected, usually the secondary but not always)

I think I'm screwed here, I could write some shell script to pull the IP's from the interfaces and roughly figure out which is which then cp one of two config files and then bring up strongswan but to be honest this is just going to be fraught with issues. I think I need to actually be looking at different hardware that can do what I need out of the box, OR, maybe two individual single sim routers and some static routes on the default gateway.

I really appreciate the help here, its been invaluable and has saved me hours, so that you for that.
by anonymous

Sorry, I think I misunderstood. Modem 1 (wwan0) will always be associated with SIM1, while modem 2 (wwan2) will always be associated with SIM2. This is basically because they are hardwired. I was mentioning earlier which one would be used to go out to the internet. In any case, a colleague tried installing duckdns on the router and configuring a domain for the MOB2 interface, and setting that domain as the local identifier and it worked. In this case, it does not matter that the IP is not public. This is because being embedded in the router, the DDNS will always resolve to the IP of the MOBS2 interface. Here you have more documentation of OpenWrt.

https://openwrt.org/docs/guide-user/services/ddns/duckdns

Also, you can try with strongswan, here is the documentation. 

https://docs.strongswan.org/docs/5.9/features/routeBasedVpn.html

But it seems to be more complicated.