FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
503 views 7 comments
by anonymous

The Traffic is going over the tunnel as you can see below but no return traffic but i cant see anything on the RUT956. I dont see any option for NAT,FW,Route or Trobbelshooting on the device. And the Guide i can find on their website is trash. I run newest firmware. Anyone have an idea?


> show crypto ipsec sa peer x.x.x.x

peer address: x.x.x.x

    Crypto map tag: xxxxxCryptoMap, seq num: 5, local addr: x.x.x.x

      access-list |s2sAcl|xxxxxxxxxxxxxxxx extended permit ip 192.168.60.0 255.255.252.0 192.168.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.60.0/255.255.252.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 93, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 86(52), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: C01C4BD7

      current inbound spi : 6B6BB42A

1 Answer

0 votes
by anonymous

Hello,

I would like you to attach a troubleshoot file to your question. Please, replicate the issue, then access router's WebUI, go to System -> Administration -> Troubleshoot section and download troubleshoot file from there. The logs in the file might provide more insight into the issue.

Best regards,

Best answer
by anonymous

 06:26:46  ipsec: 08[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes) 

 06:26:47  ipsec: 13[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)

 06:26:47  ipsec: 13[ENC] parsed INFORMATIONAL request 177 [ D ]

 06:26:47  ipsec: 13[IKE] received DELETE for IKE_SA CJH-CJH_c[30]

 06:26:47  ipsec: 13[IKE] deleting IKE_SA CJH-CJH_c[30] between 1.1.1.1[1.1.1.2]...2.2.2.2[2.2.2.2]

 06:26:47  ipsec: 13[IKE] IKE_SA deleted

 06:26:47 2023 local0.notice vpn: - 2.2.2.2 192.168.60.0/22 == 2.2.2.2 -- 1.1.1.1 == 192.168.1.0/24

 06:26:47  ipsec: 13[ENC] generating INFORMATIONAL response 177 [ ]

 06:26:47  ipsec: 13[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)

 06:26:49  ipsec: 07[CFG] received stroke: initiate 'CJH-CJH_c'

 06:26:49  ipsec: 07[IKE] initiating IKE_SA CJH-CJH_c[31] to 2.2.2.2

 06:26:49  ipsec: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

 06:26:49  ipsec: 07[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (904 bytes)

 06:26:49  ipsec: 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (38 bytes)

 06:26:49  ipsec: 12[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]

 06:26:49  ipsec: 12[IKE] peer didn't accept DH group MODP_1536, it requested MODP_2048

 06:26:49  ipsec: 12[IKE] initiating IKE_SA CJH-CJH_c[31] to 2.2.2.2

 06:26:50  ipsec: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

 06:26:50  ipsec: 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (968 bytes)

 06:26:50  ipsec: 10[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (574 bytes)

 06:26:50  ipsec: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]

 06:26:50  ipsec: 10[IKE] received Cisco Delete Reason vendor ID

 06:26:50  ipsec: 10[IKE] received Cisco Copyright (c) 2009 vendor ID

 06:26:50  ipsec: 10[IKE] received FRAGMENTATION vendor ID

 06:26:50  ipsec: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

 06:26:50  ipsec: 10[IKE] local host is behind NAT, sending keep alives

 06:26:50  ipsec: 10[IKE] authentication of '1.1.1.2' (myself) with pre-shared key

 06:26:50  ipsec: 10[IKE] establishing CHILD_SA CJH-CJH_c{33}

 06:26:50  ipsec: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

 06:26:50  ipsec: 10[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (448 bytes)

 06:26:50  ipsec: 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (256 bytes)

 06:26:50  ipsec: 05[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ]

 06:26:50  ipsec: 05[IKE] authentication of '2.2.2.2' with pre-shared key successful

 06:26:50  ipsec: 05[IKE] IKE_SA CJH-CJH_c[31] established between 1.1.1.1[1.1.1.2]...2.2.2.2[2.2.2.2]

 06:26:50  ipsec: 05[IKE] scheduling reauthentication in 10052s

 06:26:50  ipsec: 05[IKE] maximum IKE_SA lifetime 10592s

 06:26:50  ipsec: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

 06:26:50  ipsec: 05[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

 06:26:50  ipsec: 05[IKE] CHILD_SA CJH-CJH_c{33} established with SPIs ca57aee2_i 868ee81b_o and TS 192.168.1.0/24 === 192.168.60.0/22

 06:26:51 2023 local0.notice vpn: + 2.2.2.2 192.168.60.0/22 == 2.2.2.2 -- 1.1.1.1 == 192.168.1.0/24

 06:26:51  ipsec: 05[IKE] peer supports MOBIKE

 06:27:04  ipsec: 13[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)

 06:27:04  ipsec: 13[ENC] parsed INFORMATIONAL request 0 [ ]

 06:27:04  ipsec: 13[ENC] generating INFORMATIONAL response 0 [ ]

 06:27:04  ipsec: 13[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)

 06:27:04  ipsec: 11[MGR] ignoring request with ID 0, already processing

 06:27:04  ipsec: 11[MGR] ignoring request with ID 0, already processing

 06:27:14  ipsec: 12[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)

 06:27:14  ipsec: 12[ENC] parsed INFORMATIONAL request 1 [ ]

 06:27:14  ipsec: 12[ENC] generating INFORMATIONAL response 1 [ ]

 06:27:14  ipsec: 12[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)

 06:27:25  ipsec: 08[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)

by anonymous

Hello,

A complete troubleshoot file would be a lot more helpful.

At the moment, from what you have provided, I can see what could be at least part of an issue: a mismatch between phase proposal settings:

  • peer didn't accept DH group MODP_1536, it requested MODP_2048

Please check this to match between devices.

Best regards,

by anonymous

It is the "full" file 

the rest of the file is just this 

 06:27:14  ipsec: 12[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)

 06:27:25  ipsec: 08[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)

by anonymous

Troubleshoot file generated from System -> Administration -> Troubleshoot page includes not only logs, but also various device configuration files, settings and details, which could be useful in troubleshooting. Knowing configuration of the other device might be helpful too.

Attached files are private and visible only to Teltonika Moderators.

Now, have you tried changing PFS group to MODP_2048 in Phase 2 settings?

by anonymous
I don't have any option to change Phase 1 or 2 on the Device. The Only Menu i get is IPSEC Instance and Connection Settings
by anonymous

Please switch to Advanced mode on the top right corner of the WebUI by pressing BASIC. The necessary options should become available.

by anonymous
After upgrading firmware again from .2 to the recent .3 released 24/01 everything works. But if I set the timers nothing works so i just left those blank