FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
580 views 6 comments
by anonymous
Hello,

I want to connect to my company firewall via IKEv2 IPsec with Authentication method X.509 from my RUTX11. It is possible to upload the "Key" and "Local certificate" but when I try to upload the "CA certificate" (and press "SAVE&Apply") I get the error "An unexpected error occured: ...", see attached image. The CA certificate is .der format, too.
The certificate files were provided by by provider/third party.
This happens with the RUTX11 firmware versions RUTX_R_00.07.02 and RUTX_R_00.07.03 .

How can i fix it?

Or is there a workaround? E.g. via CLI or placing the CA certificate manually into the file system? But then I need to know where to place it and how this file needs to ba named and what i have to enter into the ipsec config file.

Or can I use the "certificates manager" under "System >  Administration > certificates"?

Thank you very much and best regards.

6 Answers

0 votes
by anonymous

Just an update for anyone encountering issues with IPsec:

  • Currently, the configuration will not be saved when using x.509;
  • Symbols dash ( - ) and underscore ( _ ) should not be used in the names of certificates when using x.509 or EAP;
  • If your local or remote identifier contains pound ( # ) or equals ( = ) symbols, they should be enclosed in double quotes ("org=Teltonika");

All of these issues should be fixed with the v7.4 release of RutOS. A downgrade to v7.2 might be needed in this case (the issue with double quotes also persists there).

If you experience any more issues, contact me directly.

Best regards,

DaumantasG

Best answer
0 votes
by anonymous

Hello,

  

Thank you for reaching out!

This is a known issue and is already reported to our RnD team. The solution should be as simple as removing any underscores ( _ ) or hyphens ( - ) from the names of certificates.

If this solution does not help, could you please attach the certificate file by editing your question? Attached files are private and visible only to Teltonika Moderators.

Also, please attach a troubleshoot file to the original query. It can be generated by navigating to System → Administration → Troubleshoot and will only be visible to Teltonika moderators.

  

Best regards,
DaumantasG

by anonymous
> Could you please attach the certificate file by editing your question? Attached files are private and visible only to Teltonika Moderators.
I have attached the CA certificate files i have tried  by editing the question now. Renaming the file to remove _ and - did not help.
I wanted to upload the file "servercaV2.der". But i have also attached the Root certificate I have work with for long time with several systems (=cacertvs.crt), perhaps this may be helpful
> Also, please describe the steps, how to reproduce this issue.
> It would help in looking for the root cause of the issue.
Reproduce the error:
I have added a new instance under "Services > VPN > IPsec" and filled the settings under "General settings" with "Remote Endpoint", "Authentication method" = X.509, uploaded a key file "AL_Koffer_02_key.der", uploaded the according "Local certificate" and filled "Localidentifier" and "Remote Identifier".
Connection settings are
Mode=start
Type=Tunnel
Local subnet=the local LAN configured on the RUTX11
Remote Subnet=0.0.0.0/0
Key exchange=IKEv2
and under "Advanced settings" i enabled Dead peer detection with dealy = 5.
And set the "Proposal settings" for Phase 1 and 2.

All these settings I can "SAVE & APPLY".
Now i wanted to upload the "CA certificate". And regardles of .crt or .der format I get the "unexpected error".
> Have you tried other firmware versions, is there a version, which accepts the certificate?
I have tried the firmware versions RUTX_R_00.07.02 and RUTX_R_00.07.03 but did not downgraded to a former one.
> Are other certificates accepted?
I just have tried to upload the files I have used for the "Key" and "Local certificate", both can be uploaded at "CA certificate", so it seems yes.

By the way: is the "Remote certificate" (under Advanced settings needed to build up the IPsec VPN?)
by anonymous
Hello,

  

Thank you for your response!

From the troubleshoot file I can see that one of the certificates still has the underscores left in its name. Could the instance be deleted and recreated with the renamed certificates? It seems like the certificates were also not attached.

Also, if the connection does not establish, Phase 1 and Phase 2 settings could be matched, as different settings can sometimes cause issues.

  

Awaiting your response!

Best regards,
DaumantasG
0 votes
by anonymous
Hello DaumantasG,

i have deleted the instance and recreated it with no underscores in the file names.
And unfortunately the CA certificate field still produces the unexpected error.

Or do the underscore etc. has to be removed from name and common name in the certificate itself (and not just the file name)?
by anonymous
Hello,

  

I've tested your setup, and everything seems to be working fine with the pre-shared key, however, I was not able to test with X.509 just yet. Can you confirm, that these certificates are used on other devices as well and work as intended?

Also, you could try removing the underscores and dashes from the certificates themselves, but I'm not sure if that will help. After doing that, please generate another troubleshoot file, as the last one does not give a great insight into the issue.

  

Best regards,
DaumantasG
0 votes
by anonymous
Hello,

I was not able to test this yet, but I was able to work with these kind of certificates in other devices.

I would like to know the requirements which has to be met to upload the certificate in the GUI (or SSH command line). In the manual you tell us that these "X.509: CA-certificate" has to be a .der file.

1) Is this still correct?

2) And has the file name extension to be ".der"?

3) Or is .pem (Base64-ASCII) needed?

4) Is the contents of this file checked or just the file name at upload? Anything else to take care of than not to use - and _ in certificate name?

5) Can you give me an example of an working CA cert file to test if this can be uploaded at my router?
by anonymous

Hello,

  

  • 1-3 - both, .pem and .der files should be accepted. I currently do not have any generated certificates, so cannot test this, but there are no checks in GUI for this.
  • Symbols - and _ breaking the instance is a bug and will be fixed, nothing else in the name should break anything.
  • CA certificates can be generated on the router by navigating to System → Administration → Certificates. Additionally, they can be generated by following this manual and installing strongswan-pki package on the router.
EDIT: Equals symbol should also not be used in local or remote identifiers.
  

Best regards,
DaumantasG

0 votes
by anonymous
Hello,

with newest firmware RUTX_R_00.07.03.1 the error messages are gone, I can upload all certificates now.

But IPsec is not starting, in the system log I see:
Wed Jan  4 14:56:53 2023 authpriv.info ipsec_starter[3668]: Starting strongSwan 5.9.2 IPsec [starter]...
Wed Jan  4 14:56:53 2023 authpriv.info ipsec_starter[3668]: /var/ipsec/ipsec.conf:21: syntax error, unexpected EQ [=]
Wed Jan  4 14:56:53 2023 authpriv.info ipsec_starter[3668]: invalid config file '/etc/ipsec.conf'
Wed Jan  4 14:56:53 2023 authpriv.info ipsec_starter[3668]: unable to start strongSwan -- fatal errors in config

I have uploaded a new troubleshoot file to my open ticket.
I have not found any hint about this in the internet ow your wikis.
by anonymous
Hello,

  

I'm sorry to hear that there still are some issues!

Would you mind deleting and re-adding the instance to see if that helps? If it does not, perhaps a factory reset could be done?

If both of these options do not help, I'll raise the question with our RnD team.

Again, we apologize for any inconvenience caused.

  

Best regards,
DaumantasG
0 votes
by anonymous
Hello DaumantasG,

before writing to you I have made a factory reset and added a new instance twice.
This did not help.

Best regards
by anonymous
Hello,

sent you a private message.

Best regards,
DaumantasG