WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

IPSEC VPN through UCI commands doesn't work

0 votes
868 views 25 comments
by anonymous

I've tried to create an ipsec based VPN configuration through uci commands. When I compare the "uci show ipsec" commands it's an exact match as compared to creating the same VPN through the web gui. Also when comparing the /etc/config/ipsec file (created through uci) with the same file (created through web) it's the same. Still the web created VPN works without issue's, the uci created VPN somehow doesn't work. It shows up in the gui (correctly). But when running the "ipsec showall" command, it doesn't show an SA (I've commited and reloaded the ipsec config, also rebooted the router).

Output of the "show ipsec" command (some details modified).

ipsec.@ipsec[0]=ipsec

ipsec.@ipsec[0].rtinstall_enabled='1'

ipsec.MyVPN=remote

ipsec.MyVPN.crypto_proposal='MyVPN_ph1'

ipsec.MyVPN.force_crypto_proposal='1'

ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'

ipsec.MyVPN.authentication_method='psk'

ipsec.MyVPN.pre_shared_key='*********************************************'

ipsec.MyVPN.tunnel='MyVPN_c'

ipsec.MyVPN.remote_identifier='1.2.3.4'

ipsec.MyVPN.local_identifier='W99-RTR01'

ipsec.MyVPN._multiple_secrets='0'

ipsec.MyVPN.enabled='1'

ipsec.MyVPN_c=connection

ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'

ipsec.MyVPN_c.defaultroute='0'

ipsec.MyVPN_c.forceencaps='no'

ipsec.MyVPN_c.local_firewall='yes'

ipsec.MyVPN_c.remote_firewall='yes'

ipsec.MyVPN_c._dpd='1'

ipsec.MyVPN_c.force_crypto_proposal='1'

ipsec.MyVPN_c.mode='start'

ipsec.MyVPN_c.type='tunnel'

ipsec.MyVPN_c.keyexchange='ikev2'

ipsec.MyVPN_c.dpdaction='restart'

ipsec.MyVPN_c.remote_subnet='192.168.222.0/24' '10.20.0.0/16'

ipsec.MyVPN_c.comp_mode='1'

ipsec.MyVPN_c.aggressive='no'

ipsec.MyVPN_c.local_subnet='10.100.99.254/32' '10.101.99.0/25'

ipsec.MyVPN_ph1=proposal

ipsec.MyVPN_ph1.encryption_algorithm='aes256'

ipsec.MyVPN_ph1.hash_algorithm='sha256'

ipsec.MyVPN_ph1.dh_group='modp2048'

ipsec.MyVPN_ph2=proposal

--------------------

Output of the "ipsec showall"

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, armv7l):

  uptime: 74 minutes, since Sep 22 11:43:21 2022

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0

  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic

Listening IP addresses:

  10.178.51.58

  10.101.99.2

  fd79:8e10:b7c9::1

Connections:

Security Associations (0 up, 0 connecting):

  none

---------------------------

I've added the troubleshoot file. 
There was an earlier question from someone running into the same issue, but that wasn't answered.

by anonymous
Wrong comment button

1 Answer

0 votes
by anonymous

Hello,

Configuration of IPsec over WebUI also generates several traffic rules and one port forward. I would suggest checking these additions upon the successful establishment of the IPsec tunnel and compare to find what is missing after uci configuration. Troubleshoot contains firewall file with all the firewall details. Comparing these files from both configurations might also help to find what is missing.

Best regards,

Show 19 previous comments
by anonymous

Here is a thing to try: 

“To resolve this issue it's needed to change option tunnel 'Client_c' to list tunnel 'Client_c'.
This issue occurs because uci set is used for all options. tunnel option should be set using uci add_list.“

by anonymous

These are the actual UCI commands used to create the VPN. You mean changing the bold entry from a set to add?

uci set ipsec.MyVPN=remote
uci set ipsec.MyVPN.crypto_proposal='MyVPN_ph1'
uci set ipsec.MyVPN.enabled='1'
uci set ipsec.MyVPN._multiple_secrets='0'
uci set ipsec.MyVPN.force_crypto_proposal='1'
uci set ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'
uci set ipsec.MyVPN.authentication_method='psk'
uci set ipsec.MyVPN.pre_shared_key='***************'
uci set ipsec.MyVPN.local_identifier='W99-RTR01'
uci set ipsec.MyVPN.remote_identifier='1.2.3.4'
uci set ipsec.MyVPN.tunnel='MyVPN_c'

uci set ipsec.MyVPN_c=connection
uci set ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'
uci set ipsec.MyVPN_c.defaultroute='0'
uci set ipsec.MyVPN_c.aggressive='no'
uci set ipsec.MyVPN_c.forceencaps='no'
uci set ipsec.MyVPN_c.local_firewall='yes'
uci set ipsec.MyVPN_c.remote_firewall='yes'
uci set ipsec.MyVPN_c.comp_mode='1'
uci set ipsec.MyVPN_c._dpd='1'
uci set ipsec.MyVPN_c.force_crypto_proposal='1'
uci set ipsec.MyVPN_c.mode='start'
uci set ipsec.MyVPN_c.type='tunnel'
uci set ipsec.MyVPN_c.local_subnet='10.100.99.254/32'
uci add_list ipsec.MyVPN_c.local_subnet='10.101.99.0/25'
uci set ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'
uci add_list ipsec.MyVPN_c.remote_subnet='10.20.0.0/16'
uci set ipsec.MyVPN_c.keyexchange='ikev2'
uci set ipsec.MyVPN_c.dpdaction='restart'

uci set ipsec.MyVPN_ph1=proposal
uci set ipsec.MyVPN_ph1.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph1.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph1.dh_group='modp2048'

uci set ipsec.MyVPN_ph2=proposal
uci set ipsec.MyVPN_ph2.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph2.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph2.dh_group='modp2048

by anonymous

Yes uci add_list ipsec.MyVPN.tunnel='MyVPN_c'

Good catch.

by anonymous

Yes, that was the trick! So for everyone else breaking it's head on this, this is the right config:

uci set ipsec.MyVPN=remote
uci set ipsec.MyVPN.crypto_proposal='MyVPN_ph1'
uci set ipsec.MyVPN.enabled='1'
uci set ipsec.MyVPN._multiple_secrets='0'
uci set ipsec.MyVPN.force_crypto_proposal='1'
uci set ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'
uci set ipsec.MyVPN.authentication_method='psk'
uci set ipsec.MyVPN.pre_shared_key='***************'
uci set ipsec.MyVPN.local_identifier='W99-RTR01'
uci set ipsec.MyVPN.remote_identifier='1.2.3.4'
uci add_list ipsec.MyVPN.tunnel='MyVPN_c'

uci set ipsec.MyVPN_c=connection
uci set ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'
uci set ipsec.MyVPN_c.defaultroute='0'
uci set ipsec.MyVPN_c.aggressive='no'
uci set ipsec.MyVPN_c.forceencaps='no'
uci set ipsec.MyVPN_c.local_firewall='yes'
uci set ipsec.MyVPN_c.remote_firewall='yes'
uci set ipsec.MyVPN_c.comp_mode='1'
uci set ipsec.MyVPN_c._dpd='1'
uci set ipsec.MyVPN_c.force_crypto_proposal='1'
uci set ipsec.MyVPN_c.mode='start'
uci set ipsec.MyVPN_c.type='tunnel'
uci set ipsec.MyVPN_c.local_subnet='10.100.99.254/32'
uci add_list ipsec.MyVPN_c.local_subnet='10.101.99.0/25'
uci set ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'
uci add_list ipsec.MyVPN_c.remote_subnet='10.20.0.0/16'
uci set ipsec.MyVPN_c.keyexchange='ikev2'
uci set ipsec.MyVPN_c.dpdaction='restart'

uci set ipsec.MyVPN_ph1=proposal
uci set ipsec.MyVPN_ph1.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph1.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph1.dh_group='modp2048'

uci set ipsec.MyVPN_ph2=proposal
uci set ipsec.MyVPN_ph2.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph2.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph2.dh_group='modp2048

Thank you very much!

by anonymous

uci add_list ipsec.MyVPN_c.local_subnet='10.100.99.254/32'

uci add_list ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'