FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
664 views 14 comments
by anonymous
Hello,

I'm having trouble in configuring IPSec in a teltonika RUTXR1 router. This router is connected to 4G. I also have other 4G router (TP-Link). I tried contacting TP-Link regarding why the status of the connection is always down. They told me the configuration in TP-Link router was correct and that the problem might be a security feature in teltonika that is preventing the connection.

Is there any security feature that might prevent connection by IPsec?

Thank you

1 Answer

0 votes
by anonymous

Hello,

What are the outputs of the following commands (on a ssh or CLI shell):

  • ipsec statusall
  • iptables -t nat -n -L | grep 'pol ipsec'

Regards,

by anonymous
   Teltonika RUTX series 2022                                                                                                           
 ---------------------------------                                                                                                      
root@Teltonika-RUTXR1:~# ipsec statusall                                                                                                
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, armv7l):                                                                  
  uptime: 118 minutes, since Aug 17 10:49:39 2022                                                                                       
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1                                                      
  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc 
hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic                                           
Listening IP addresses:                                                                                                                 
  <censored>                                                                                                                         
  192.168.20.1                                                                                                                          
  fd2a:b33:666::1                                                                                                                       
Connections:                                                                                                                            
passth_Leitek_ph2_mob1s1a1:  %any...%any  IKEv1/2                                                                                       
passth_Leitek_ph2_mob1s1a1:   local:  uses public key authentication                                                                    
passth_Leitek_ph2_mob1s1a1:   remote: uses public key authentication                                                                    
passth_Leitek_ph2_mob1s1a1:   child:  dynamic === dynamic PASS                                                                          
Leitek-Leitek_c:  %any...<censored>  IKEv1, dpddelay=30s                                                                            
Leitek-Leitek_c:   local:  [<censored>] uses pre-shared key authentication                                                           
Leitek-Leitek_c:   remote: [<censored>] uses pre-shared key authentication                                                          
Leitek-Leitek_c:   child:  192.168.20.0/24 === 192.168.16.0/24 TUNNEL, dpdaction=restart                                                
Shunted Connections:                                                                                                                    
passth_Leitek_ph2_mob1s1a1:  dynamic === dynamic PASS                                                                                   
Security Associations (0 up, 1 connecting):                                                                                             
Leitek-Leitek_c[48]: CONNECTING, <censored>[%any]...<censored>[%any]                                                             
Leitek-Leitek_c[48]: IKEv1 SPIs: 97da2442c2455ca4_i* 0000000000000000_r                                                                 
Leitek-Leitek_c[48]: Tasks queued: QUICK_MODE                                                                                           
Leitek-Leitek_c[48]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD                                 
root@Teltonika-RUTXR1:~# iptables -t nat -n -L | grep 'pol ipsec'                                                                       
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec /* !fw3: Exclude-IPsec-from-NAT */    

by anonymous

Ok for the iptables output. The tunnel stays in the CONNECTING state, do you have traces at the other end ? Or can you do a tcpdump to see if incoming packets are dropped ?

  • tcpdump -i any -n -v 'port 500 or port 4500'

 

by anonymous
root@Teltonika-RUTXR1:~# tcpdump -i any -n -v 'port 500 or port 4500'                                                                   

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes                                             

13:53:06.722345 IP (tos 0x0, ttl 64, id 60099, offset 0, flags [DF], proto UDP (17), length 264)                                        

    <censored>.500 > 87.103.102.197.500: isakmp 1.0 msgid 00000000: phase 1 I ident:                                                 

    (sa: doi=ipsec situation=identity                                                                                                   

        (p: #1 protoid=isakmp transform=3                                                                                               

            (t: #1 id=ike (type=enc value=3des)(type=hash value=md5)(type=group desc value=modp1024)(type=auth value=preshared)(type=lif

etype value=sec)(type=lifeduration value=0e10))                                                                                         

            (t: #2 id=ike (type=enc value=aes)(type=keylen value=0080)(type=hash value=sha2-256)(type=group desc value=0013)(type=auth v

alue=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10))                                                                 

            (t: #3 id=ike (type=group desc value=0013)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10)

)))                                                                                                                                     

    (vid: len=8)                                                                                                                        

    (vid: len=16)                                                                                                                       

    (vid: len=20)                                                                                                                       

    (vid: len=16)                                                                                                                       

    (vid: len=16)                                                                                                                       

13:53:10.722883 IP (tos 0x0, ttl 64, id 60365, offset 0, flags [DF], proto UDP (17), length 264)                                        

   <censored>.500 > 87.103.102.197.500: isakmp 1.0 msgid 00000000: phase 1 I ident:                                                 

    (sa: doi=ipsec situation=identity                                                                                                   

        (p: #1 protoid=isakmp transform=3                                                                                               

            (t: #1 id=ike (type=enc value=3des)(type=hash value=md5)(type=group desc value=modp1024)(type=auth value=preshared)(type=lif

etype value=sec)(type=lifeduration value=0e10))                                                                                         

            (t: #2 id=ike (type=enc value=aes)(type=keylen value=0080)(type=hash value=sha2-256)(type=group desc value=0013)(type=auth v

alue=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10))                                                                 

            (t: #3 id=ike (type=group desc value=0013)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10)

)))                                                                                                                                     

    (vid: len=8)                                                                                                                        

    (vid: len=16)                                                                                                                       

    (vid: len=20)                                                                                                                       

    (vid: len=16)                                                                                                                       

    (vid: len=16)                                                                                                                       

13:53:17.923357 IP (tos 0x0, ttl 64, id 60535, offset 0, flags [DF], proto UDP (17), length 264)                                        

    <censored>.500 > 87.103.102.197.500: isakmp 1.0 msgid 00000000: phase 1 I ident:                                                 

    (sa: doi=ipsec situation=identity                                                                                                   

        (p: #1 protoid=isakmp transform=3                                                                                               

            (t: #1 id=ike (type=enc value=3des)(type=hash value=md5)(type=group desc value=modp1024)(type=auth value=preshared)(type=lif

etype value=sec)(type=lifeduration value=0e10))                                                                                         

            (t: #2 id=ike (type=enc value=aes)(type=keylen value=0080)(type=hash value=sha2-256)(type=group desc value=0013)(type=auth v

alue=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10))                                                                 

            (t: #3 id=ike (type=group desc value=0013)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10)

)))                                                                                                                                     

    (vid: len=8)                                                                                                                        

    (vid: len=16)                                                                                                                       

    (vid: len=20)                                                                                                                       

    (vid: len=16)                                                                                                                       

    (vid: len=16)                                                                                                                       

13:53:30.883866 IP (tos 0x0, ttl 64, id 61794, offset 0, flags [DF], proto UDP (17), length 264)                                        

    <censored>.500 > 87.103.102.197.500: isakmp 1.0 msgid 00000000: phase 1 I ident:                                                 

    (sa: doi=ipsec situation=identity                                                                                                   

        (p: #1 protoid=isakmp transform=3                                                                                               

            (t: #1 id=ike (type=enc value=3des)(type=hash value=md5)(type=group desc value=modp1024)(type=auth value=preshared)(type=lif

etype value=sec)(type=lifeduration value=0e10))                                                                                         

            (t: #2 id=ike (type=enc value=aes)(type=keylen value=0080)(type=hash value=sha2-256)(type=group desc value=0013)(type=auth v

alue=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10))                                                                 

            (t: #3 id=ike (type=group desc value=0013)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10)

)))                                                                                                                                     

    (vid: len=8)                                                                                                                        

    (vid: len=16)                                                                                                                       

    (vid: len=20)                                                                                                                       

    (vid: len=16)                                                                                                                       

    (vid: len=16)
by anonymous

 <censored>.500 > 87.103.102.197.500 ....

So nothing comes back from the server. Can you get traces from the other end ? Does it sees something ?

by anonymous
Hi, I contacted TP-Link and they say there is no CLI for that router, which makes me think it is not possible to use the same commands as you mentioned above. The TP-Link router is for consume (Home product)
by anonymous

87.103.102.197 is an address belonging to Vodafone PT. Are you sure it is the correct destination ?

Could you make a drawing of your network showing the links to the ISP ? A handwritten one will do.

by anonymous

Here is my full network. The public IPs are from Vodafone.

https://ibb.co/BTsKbRt

by anonymous

> The public IPs are from Vodafone.

Does that mean that Voda gives you a public address or is it the apparent IP address on a site like whatismyip.com ?

Do you see the 87.103.96.213 in the output of ifconfig on the RUT ? The output of ifconfig wwan0 ?

by anonymous
Both routers have public IPs as I requested them. Their IPs are equal to what is in whatismyip.com.

I see that ip in ifconfig wwan0.

Regards
by anonymous

nmap -p 500 -sU -Pn  87.103.96.213 indicates that 500/UDP is open.

nmap -p 500 -sU -Pn  87.103.102.197 indicates that 500/UDP is open or filtered, so it is hard to tell if it is working or not.

If possible, you can try to revert the roles, ie set the TP-Link as the initiator of the tunnel it will be easier to debug.

Edit: port 500 on 87.103.102.197 never replies, even with a reject of some sort.

by anonymous

Hi

What are the chances that the industrial Teltonika router is not compatible with home TP-Link router? Can you guarantee that my Teltonika (RUTXR1) is capable of communicating with a Teltonika RUT240, by VPN? Maybe that is the most plausible solution for my problem.

Thank you

by anonymous

Things have changed since yesterday. It appears that the router at 87.103.102.197 replies to solicitations on the 500/UDP port now. Could you retry to establish the tunnel ?

 

by anonymous
Hi, how do you know that? The router is turned off since yesterday and the sim card is deactivated (plafond expired). I can't test it right now. I think I'll have to buy another router. But first I want to know if teltonika is in fact incompatible with home router of tp-link TL-MR6400.

Thank you
by anonymous

how do you know that?

Just sent a IKE_SA_INIT Initiator Request to 87.103.102.197 on port 500, got an IKE_SA_INIT Responder Response. So there is something at this address able to reply to IKE requests.

But first I want to know if teltonika is in fact incompatible with home router of tp-link TL-MR6400

Nothing indicates that this is the case (at least yet).

EDIT: According to the User's Guide of the TL-MR6400 Rev 5.0.0, this router is able to handle OpenVPN and PPTP, and IPSEC is not mentioned. So use one of the former protocols instead of IPSEC.