WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

IPSEC VPN through UCI commands doesn't work

0 votes
871 views 25 comments
by anonymous

I've tried to create an ipsec based VPN configuration through uci commands. When I compare the "uci show ipsec" commands it's an exact match as compared to creating the same VPN through the web gui. Also when comparing the /etc/config/ipsec file (created through uci) with the same file (created through web) it's the same. Still the web created VPN works without issue's, the uci created VPN somehow doesn't work. It shows up in the gui (correctly). But when running the "ipsec showall" command, it doesn't show an SA (I've commited and reloaded the ipsec config, also rebooted the router).

Output of the "show ipsec" command (some details modified).

ipsec.@ipsec[0]=ipsec

ipsec.@ipsec[0].rtinstall_enabled='1'

ipsec.MyVPN=remote

ipsec.MyVPN.crypto_proposal='MyVPN_ph1'

ipsec.MyVPN.force_crypto_proposal='1'

ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'

ipsec.MyVPN.authentication_method='psk'

ipsec.MyVPN.pre_shared_key='*********************************************'

ipsec.MyVPN.tunnel='MyVPN_c'

ipsec.MyVPN.remote_identifier='1.2.3.4'

ipsec.MyVPN.local_identifier='W99-RTR01'

ipsec.MyVPN._multiple_secrets='0'

ipsec.MyVPN.enabled='1'

ipsec.MyVPN_c=connection

ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'

ipsec.MyVPN_c.defaultroute='0'

ipsec.MyVPN_c.forceencaps='no'

ipsec.MyVPN_c.local_firewall='yes'

ipsec.MyVPN_c.remote_firewall='yes'

ipsec.MyVPN_c._dpd='1'

ipsec.MyVPN_c.force_crypto_proposal='1'

ipsec.MyVPN_c.mode='start'

ipsec.MyVPN_c.type='tunnel'

ipsec.MyVPN_c.keyexchange='ikev2'

ipsec.MyVPN_c.dpdaction='restart'

ipsec.MyVPN_c.remote_subnet='192.168.222.0/24' '10.20.0.0/16'

ipsec.MyVPN_c.comp_mode='1'

ipsec.MyVPN_c.aggressive='no'

ipsec.MyVPN_c.local_subnet='10.100.99.254/32' '10.101.99.0/25'

ipsec.MyVPN_ph1=proposal

ipsec.MyVPN_ph1.encryption_algorithm='aes256'

ipsec.MyVPN_ph1.hash_algorithm='sha256'

ipsec.MyVPN_ph1.dh_group='modp2048'

ipsec.MyVPN_ph2=proposal

--------------------

Output of the "ipsec showall"

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, armv7l):

  uptime: 74 minutes, since Sep 22 11:43:21 2022

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0

  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic

Listening IP addresses:

  10.178.51.58

  10.101.99.2

  fd79:8e10:b7c9::1

Connections:

Security Associations (0 up, 0 connecting):

  none

---------------------------

I've added the troubleshoot file. 
There was an earlier question from someone running into the same issue, but that wasn't answered.

by anonymous
Wrong comment button

1 Answer

0 votes
by anonymous

Hello,

Configuration of IPsec over WebUI also generates several traffic rules and one port forward. I would suggest checking these additions upon the successful establishment of the IPsec tunnel and compare to find what is missing after uci configuration. Troubleshoot contains firewall file with all the firewall details. Comparing these files from both configurations might also help to find what is missing.

Best regards,

by anonymous
The relevant firewall rules/redirects/nats have been created as well. But regardless of the firewall rules, I would expect to see the SA entry when running "ipsec statusall" regardless of any blocking/missing firewall rules. The compare of the "uci show firewall" of both running configs is also identical.
by anonymous
What is the output of logread | grep 'received stroke' on the router ?
by anonymous

Thu Sep 22 15:40:01 2022 daemon.info ipsec: 06[CFG] received stroke: add connection 'MyVPN-MyVPN_c'

Thu Sep 22 15:40:01 2022 daemon.info ipsec: 07[CFG] received stroke: initiate 'MyVPN-MyVPN_c'

Thu Sep 22 15:40:02 2022 daemon.info ipsec: 13[CFG] received stroke: add connection 'MyVPN-MyVPN_c_1'

Thu Sep 22 15:40:02 2022 daemon.info ipsec: 14[CFG] received stroke: initiate 'MyVPN-MyVPN_c_1'

Thu Sep 22 15:40:02 2022 daemon.info ipsec: 12[CFG] received stroke: add connection 'MyVPN-MyVPN_c_3'

Thu Sep 22 15:40:02 2022 daemon.info ipsec: 06[CFG] received stroke: initiate 'MyVPN-MyVPN_c_3'

Thu Sep 22 15:40:02 2022 daemon.info ipsec: 05[CFG] received stroke: add connection 'MyVPN-MyVPN_c_4'

Thu Sep 22 15:40:02 2022 daemon.info ipsec: 07[CFG] received stroke: initiate 'MyVPN-MyVPN_c_4'

Thu Sep 22 16:10:33 2022 daemon.info ipsec: 05[CFG] received stroke: initiate 'MyVPN-MyVPN_c_1'

Thu Sep 22 16:10:33 2022 daemon.info ipsec: 12[CFG] received stroke: initiate 'MyVPN-MyVPN_c_3'

Thu Sep 22 16:10:33 2022 daemon.info ipsec: 10[CFG] received stroke: initiate 'MyVPN-MyVPN_c_4'

Thu Sep 22 16:41:05 2022 daemon.info ipsec: 05[CFG] received stroke: initiate 'MyVPN-MyVPN_c_1'

Thu Sep 22 16:41:05 2022 daemon.info ipsec: 09[CFG] received stroke: initiate 'MyVPN-MyVPN_c_3'

Thu Sep 22 16:41:05 2022 daemon.info ipsec: 12[CFG] received stroke: initiate 'MyVPN-MyVPN_c_4'

Thu Sep 22 17:11:37 2022 daemon.info ipsec: 07[CFG] received stroke: initiate 'MyVPN-MyVPN_c_1'

Thu Sep 22 17:11:37 2022 daemon.info ipsec: 05[CFG] received stroke: initiate 'MyVPN-MyVPN_c_3'

Thu Sep 22 17:11:37 2022 daemon.info ipsec: 09[CFG] received stroke: initiate 'MyVPN-MyVPN_c_4'

Thu Sep 22 17:42:09 2022 daemon.info ipsec: 10[CFG] received stroke: initiate 'MyVPN-MyVPN_c_1'

Thu Sep 22 17:42:09 2022 daemon.info ipsec: 08[CFG] received stroke: initiate 'MyVPN-MyVPN_c_3'

Thu Sep 22 17:42:09 2022 daemon.info ipsec: 14[CFG] received stroke: initiate 'MyVPN-MyVPN_c_4'

Thu Sep 22 18:12:41 2022 daemon.info ipsec: 08[CFG] received stroke: initiate 'MyVPN-MyVPN_c_1'

Thu Sep 22 18:12:41 2022 daemon.info ipsec: 11[CFG] received stroke: initiate 'MyVPN-MyVPN_c_3'

Thu Sep 22 18:12:41 2022 daemon.info ipsec: 09[CFG] received stroke: initiate 'MyVPN-MyVPN_c_4'

Thu Sep 22 18:59:44 2022 daemon.info ipsec: 14[CFG] received stroke: initiate 'MyVPN-MyVPN_c_1'

Thu Sep 22 18:59:44 2022 daemon.info ipsec: 07[CFG] received stroke: initiate 'MyVPN-MyVPN_c_3'

Thu Sep 22 18:59:44 2022 daemon.info ipsec: 03[CFG] received stroke: initiate 'MyVPN-MyVPN_c_4'

Above information is seen with a manually created VPN through the Webgui. When creating the VPN through UCI, this is the output after reloading the ipsec configuration:

Thu Sep 22 19:27:12 2022 authpriv.info ipsec_starter[10297]: charon stopped after 800 ms

Thu Sep 22 19:27:12 2022 authpriv.info ipsec_starter[10297]: ipsec starter stopped

Thu Sep 22 19:28:07 2022 authpriv.info ipsec_starter[9489]: Starting strongSwan 5.9.2 IPsec [starter]...

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.2, Linux 5.4.147, armv7l)

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[CFG] loading secrets from '/var/ipsec/ipsec.secrets'

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[CFG]   loaded IKE secret for BKM-RTR01 1.2.3.4

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[LIB] loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic

Thu Sep 22 19:28:07 2022 daemon.info ipsec: 00[JOB] spawning 16 worker threads

Thu Sep 22 19:28:07 2022 authpriv.info ipsec_starter[9489]: charon (9495) started after 80 ms

So somehow, charon is not kicking in the next step to initiate the VPN.
by anonymous

So you have several "initiate" strokes none succeed. Something must be wrong or missing in your config.

Edit /etc/init.d/ipsec, at line 529 or so change 

swan_xappend "      default = 1"

to

swan_xappend "      default = 4"

and retry the full sequence. What is the output of logread after the first "received stroke: initiate" ?

by anonymous
The “received stroke” entries were all from the tests with a VPN created through the webgui, not uci.

The last part of the logs shows what happens when the vpn is created via uci. Again, both the /etc/config/ipsec file is identical when created through webgui and uci. Same for the output of “uci show ipsec”.
by anonymous
Yes sorry I didn't read the full comment only the part in the mail...

Does the tunnel go up if started manually via /etc/init.d/ipsec restart ?
by anonymous

No, the ipsec daemon has no knowledge of any MyVPN configuration. The “ipsec statusall” does no show any vpn tunnel config. So the config is somehow not picked up correctly. I can’t find why not, and by comparing good/bad configs, it doesn’t show any issues/differences. It seems like an additional step is done when configuring a vpn through weg gui vs uci commands. I need to know that additional step.

by anonymous
What do you have in the /tmp/ipsec folder ?
by anonymous

Three files: ipsec.conf       ipsec.secrets    strongswan.conf

ipsec.conf is empty (that is probably the issue, config is somehow not parsed/loaded)
ipsec.secrets contains the secret for the MyVPN tunnel
strongswan.conf  has some syslog and charon config, but nothing specific to MyVPN
by anonymous

ipsec.conf is empty (that is probably the issue, config is somehow not parsed/loaded)

Yes, this is the issue. Execute /etc/init.d/ipsec reload.

by anonymous
Still the same status. Already issued /etc/init.d/ipsec restart|reload, rebooted the router. But still the vpn config is not loaded when created through uci commands.
by anonymous
Strange. Have you enabled the service via /etc/init.d/ipsec enable before ?
by anonymous
/etc/init.d./ipsec stop clears all the files in /tmp/ipsec

/etc/init.d/ipsec reload recreates them.

Do you have the same result ?
by anonymous
Yes, service is enabled (and running according to ps output). Can both be seen from cli and webgui (services).

I need to somehow debug the parsing of configfiles, but my knowledge of the RutOS is limited for that.

But it's easy to reproduce on any Rutx router. Just create a uci config for ipsec, and see it doesn't get loaded into the ipsec daemon.

Yes, same result after stop/reload.
by anonymous
Yes the issue is about the generation of /tmp/ipsec/ipsec.conf
by anonymous
Exactly, any idea how to debug that? I need to get this working through uci.
by anonymous
I have consulted with the development team, waiting for their response.
by anonymous
Looks like the issue is related to pre-shared keys usage. I have never seen it myself because I always use X.509 certificates.
by anonymous
So would you say it's a bug, or are there characters in the psk which break the config? The string in the /tmp/ipsec/ipsec.secrets file is identical when created through uci or webgui. Much appreciated Teltonika is looking into this!
by anonymous

Here is a thing to try: 

“To resolve this issue it's needed to change option tunnel 'Client_c' to list tunnel 'Client_c'.
This issue occurs because uci set is used for all options. tunnel option should be set using uci add_list.“

by anonymous

These are the actual UCI commands used to create the VPN. You mean changing the bold entry from a set to add?

uci set ipsec.MyVPN=remote
uci set ipsec.MyVPN.crypto_proposal='MyVPN_ph1'
uci set ipsec.MyVPN.enabled='1'
uci set ipsec.MyVPN._multiple_secrets='0'
uci set ipsec.MyVPN.force_crypto_proposal='1'
uci set ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'
uci set ipsec.MyVPN.authentication_method='psk'
uci set ipsec.MyVPN.pre_shared_key='***************'
uci set ipsec.MyVPN.local_identifier='W99-RTR01'
uci set ipsec.MyVPN.remote_identifier='1.2.3.4'
uci set ipsec.MyVPN.tunnel='MyVPN_c'

uci set ipsec.MyVPN_c=connection
uci set ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'
uci set ipsec.MyVPN_c.defaultroute='0'
uci set ipsec.MyVPN_c.aggressive='no'
uci set ipsec.MyVPN_c.forceencaps='no'
uci set ipsec.MyVPN_c.local_firewall='yes'
uci set ipsec.MyVPN_c.remote_firewall='yes'
uci set ipsec.MyVPN_c.comp_mode='1'
uci set ipsec.MyVPN_c._dpd='1'
uci set ipsec.MyVPN_c.force_crypto_proposal='1'
uci set ipsec.MyVPN_c.mode='start'
uci set ipsec.MyVPN_c.type='tunnel'
uci set ipsec.MyVPN_c.local_subnet='10.100.99.254/32'
uci add_list ipsec.MyVPN_c.local_subnet='10.101.99.0/25'
uci set ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'
uci add_list ipsec.MyVPN_c.remote_subnet='10.20.0.0/16'
uci set ipsec.MyVPN_c.keyexchange='ikev2'
uci set ipsec.MyVPN_c.dpdaction='restart'

uci set ipsec.MyVPN_ph1=proposal
uci set ipsec.MyVPN_ph1.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph1.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph1.dh_group='modp2048'

uci set ipsec.MyVPN_ph2=proposal
uci set ipsec.MyVPN_ph2.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph2.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph2.dh_group='modp2048

by anonymous

Yes uci add_list ipsec.MyVPN.tunnel='MyVPN_c'

Good catch.

by anonymous

Yes, that was the trick! So for everyone else breaking it's head on this, this is the right config:

uci set ipsec.MyVPN=remote
uci set ipsec.MyVPN.crypto_proposal='MyVPN_ph1'
uci set ipsec.MyVPN.enabled='1'
uci set ipsec.MyVPN._multiple_secrets='0'
uci set ipsec.MyVPN.force_crypto_proposal='1'
uci set ipsec.MyVPN.gateway='vpnmgmt.MyVPN.tld'
uci set ipsec.MyVPN.authentication_method='psk'
uci set ipsec.MyVPN.pre_shared_key='***************'
uci set ipsec.MyVPN.local_identifier='W99-RTR01'
uci set ipsec.MyVPN.remote_identifier='1.2.3.4'
uci add_list ipsec.MyVPN.tunnel='MyVPN_c'

uci set ipsec.MyVPN_c=connection
uci set ipsec.MyVPN_c.crypto_proposal='MyVPN_ph2'
uci set ipsec.MyVPN_c.defaultroute='0'
uci set ipsec.MyVPN_c.aggressive='no'
uci set ipsec.MyVPN_c.forceencaps='no'
uci set ipsec.MyVPN_c.local_firewall='yes'
uci set ipsec.MyVPN_c.remote_firewall='yes'
uci set ipsec.MyVPN_c.comp_mode='1'
uci set ipsec.MyVPN_c._dpd='1'
uci set ipsec.MyVPN_c.force_crypto_proposal='1'
uci set ipsec.MyVPN_c.mode='start'
uci set ipsec.MyVPN_c.type='tunnel'
uci set ipsec.MyVPN_c.local_subnet='10.100.99.254/32'
uci add_list ipsec.MyVPN_c.local_subnet='10.101.99.0/25'
uci set ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'
uci add_list ipsec.MyVPN_c.remote_subnet='10.20.0.0/16'
uci set ipsec.MyVPN_c.keyexchange='ikev2'
uci set ipsec.MyVPN_c.dpdaction='restart'

uci set ipsec.MyVPN_ph1=proposal
uci set ipsec.MyVPN_ph1.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph1.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph1.dh_group='modp2048'

uci set ipsec.MyVPN_ph2=proposal
uci set ipsec.MyVPN_ph2.encryption_algorithm='aes256'
uci set ipsec.MyVPN_ph2.hash_algorithm='sha256'
uci set ipsec.MyVPN_ph2.dh_group='modp2048

Thank you very much!

by anonymous

uci add_list ipsec.MyVPN_c.local_subnet='10.100.99.254/32'

uci add_list ipsec.MyVPN_c.remote_subnet='192.168.222.0/24'