FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
1,355 views 14 comments
by anonymous
Hello!

I am having a great struggle connecting a RUT240 device to an IPSEC tunnel initiated by a Cisco ASA-5515-X, whether it is in "site-to-site" or "remote-access" mode.

Help or a pre-existent configuration reference would be greatly appreciated!

Thank you!
by anonymous
@ccnaexpert Did you ever find a configuration between RUTX <-> ASA that works? I'm about to embark on a project to replace about 20 Cradlepoint devices with RUTX11/X12 and the customer has ASA 5505/5510 on the head end. Hoping to find a config that works!

3 Answers

0 votes
by anonymous

Hi,

We have a configuration example showing how to configure an IPSec VPN between a Teltonika router and a Cisco device on our wiki. The page is available here. You can also take a look at other configuration examples here. IPsec information can be found here.

Kind Regards,

Andzej

0 votes
by anonymous
Thank you for your reply!

Unfortunately, I have already tried to setup a tunnel with the same parameters as specified on your wiki but that didn't work although I performed many iterations.

Nonetheless, do you have a configuration example for a Cisco ASA firewall? The RV and ASA series are really different as the ASA runs the "classic" Cisco IOS operating system.... and the ASA is a very common, or even the most common industrial IoT VPN originator.
by anonymous

Hi,

Could provide more details, please? What are the issues exactly? 

What is the configuration on your Cisco ASA device?

The IPSec should work between Teltonika device and Cisco ASA. Currently, we do not have any configuration examples for ASA specifically.

Also, could you please attach a troubleshoot file after replicating the issue? Enable IPSec, wait a few minutes for the device to attempt to establish a tunnel. Then, navigate to System -> Administration -> Troubleshoot and download a troubleshoot file.

Kind Regards,

Andzej

by anonymous

Here is a more detailed description of my setup:

-The RUT 240 is connected by means of an LTE connection and is behind a CG-NAT enforced by the ISP, it has no public IP nor port forwarding, directly assigned to it.

Let's assume the public IP of the NAT of the RUT 240 is 1.1.1.1, and the public IP of the Cisco ASA IPSEC peer is 2.2.2.2.

Now, the ASA has the following configuration for the P2P IPSEC peer:

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

by anonymous

Now, the RUT240 has the following configuration:

And a portion of the logs from the RUT240 trying to establish the tunnel:

Wed Feb  1 17:26:12 2023 daemon.info ipsec: 17[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

Wed Feb  1 17:26:12 2023 daemon.info ipsec: 17[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

Wed Feb  1 17:26:12 2023 daemon.info ipsec: 17[NET] sending packet: from LOCAL_IP[500] to VPN_IP[500] (244 bytes)

Wed Feb  1 17:26:16 2023 daemon.info ipsec: 11[IKE] sending retransmit 1 of request message ID 0, seq 2

Wed Feb  1 17:26:16 2023 daemon.info ipsec: 11[NET] sending packet: from LOCAL_IP[500] to VPN_IP[500] (244 bytes)

Wed Feb  1 17:26:16 2023 daemon.info ipsec: 07[NET] received packet: from VPN_IP[500] to LOCAL_IP[500] (68 bytes)

Wed Feb  1 17:26:16 2023 daemon.info ipsec: 07[ENC] parsed INFORMATIONAL_V1 request 0 [ N(INVAL_IKE_SPI) ]

Wed Feb  1 17:26:16 2023 daemon.info ipsec: 07[IKE] received INVALID_IKE_SPI error notify

--- As you can see, the IKEv1 negociation conditions are purposely flexible in order to try to isolate the configuration error.

Any help from your side would be greatly appreciated as we are trying to connect dozens of RUT 240 to an ASA IPSEC peer.

Thank you very much!

by anonymous

Here are some pictures describing the different configurations..

by anonymous

Hi,

The logs indicate IKE1 mismatch. I do not have any cisco ASA devices to test. It would be great to see your full configuration from both sides (including a troubleshoot file). You can send me more info via private message. Meanwhile, try the following:

  • I can see that in the IKE lifetime field, you have entered '8'. Try entering '8h'. (there is a difference actually).
  • Try forcing proposals.
  • Try using SHA256
  • Try to match Phase1 and Phase2 proposals (identical).
  • Sync NTP time.
  • Try using IKEv2.

Kind Regards,

Andzej

by anonymous
Good afternoon!

I have tried all of the above-mentioned (and many more configuration changes), and nothing has worked so far.

After my experience, it seems that the issue is coming from the "StrongsWan" implementation that is made on the RUT-240, and not from the ASA, as it has worked well so far on other devices with P2P IPsec configurations.

If you would have a successful example or experience, it would help a lot!

I can send you more logs by a private channel.

Thank you!

Best regards!
by anonymous

Hello,

Could you please generate a troubleshoot file and send it to me via private message? Replicate the issue by enabling IPSec and waiting for a few minutes. This will allow us to see the whole configuration and what is happening when the device tries to establish the connection. Then, you can download a troubleshoot file from System -> Administration -> Troubleshoot.

Kind Regards,

Andzej

0 votes
by anonymous
Good afternoon!

I have tried all of the above-mentioned (and many more configuration changes), and nothing has worked so far.

After my experience, it seems that the issue is coming from the "StrongsWan" implementation that is made on the RUT-240, and not from the ASA, as it has worked well so far on other devices with P2P IPsec configurations.

If you would have a successful example or experience, it would help a lot, as we have dozens of RUTs.

I can send you more logs by a private channel.

Thank you!

Best regards!
by anonymous
The most probable cause for the INVALID_IKE_SPI errors is an invalid SA, due to IKE Lifetime and Lifetime parameter values far too short. 8 is 8 seconds not 8 hours as you probably intented. Result: the SA becomes invalid really fast, incoming ESP frames cannot be processed.

I have reported this issue several times, the UI should at least output a warning in this case. Or have a "unit" field associated with both parameters.

Set the values to 8h or 28800.
by anonymous
Thank you for your reply!

I have set the value to 8h but another error has emerged now as I get "Information Exchange processing failed" & "received an un-encrypted INVALID_KEY_INFO message" errors on the ASA.

This flow of events is really troubling and strange in this case... I'll try some config changes and will come back if the situation evolves.
by anonymous

Could you post a complete log (up to "Information Exchange processing failed") ?

by anonymous
I am sorry for the late reply!

Unfortunately, there are no more in-depth logs available on the ASA, nonetheless, the following ones are present on the RUT-240 (crafted by the "StrongsWan" daemon) / it is implied that the RUT-240 has a private IP, which is behind a generic CG-NAT of a mobile ISP, which rewrites to a public IP.

Also, do you think that the issue might be coming from here?

Previously, I have followed this guide to the letter (https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/215884-configure-a-site-to-site-vpn-tunnel-with.html), pushing an identical config to the StrongsWan daemon with no positive result.

In this respect, I am concerned if the RUT-240 would tolerate a RA IPSEC in the current layout as an alternative to the P2P IPSEC that is shown in the previous guide (it was possible to establish a RA VPN using an external OpenVPN server, even though we would not prefer this protocol which is unsupported by Cisco on the ASA platform).

An insight would be greatly appreciated as this issue has made us waste days of work...

Thank you!

initiating Main Mode IKE_SA test-test_c[378] to {PUBLIC IP OF THE ASA}

generating ID_PROT request 0 [ SA V V V V V ]

sending packet: from {INTERNAL IP ADDRESS OF THE RUT-240}[500] to {PUBLIC IP OF THE ASA}[500] (240 bytes)

received packet: from {PUBLIC IP OF THE ASA}[500] to {INTERNAL IP ADDRESS OF THE RUT-240}[500] (128 bytes)

parsed ID_PROT response 0 [ SA V V ]

received NAT-T (RFC 3947) vendor ID

received FRAGMENTATION vendor ID

selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

sending packet: from {INTERNAL IP ADDRESS OF THE RUT-240}[500] to {PUBLIC IP OF THE ASA}[500] (308 bytes)

received packet: from {PUBLIC IP OF THE ASA}[500] to {INTERNAL IP ADDRESS OF THE RUT-240}[500] (368 bytes)

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

received Cisco Unity vendor ID

received XAuth vendor ID

received unknown vendor ID: [MAC ADDR. GIBBERISH]

received unknown vendor ID: [MAC ADDR. GIBBERISH]

no shared key found for '{PUBLIC IP OF THE RUT-240}'[{PRIVATE IP OF THE RUT-240}] - '{PUBLIC IP OF THE ASA}'[{PUBLIC IP OF THE ASA}]

no shared key found for {INTERNAL IP ADDRESS OF THE RUT-240} - {PUBLIC IP OF THE ASA}

generating INFORMATIONAL_V1 request 968227963 [ N(INVAL_KE) ]

sending packet: from {INTERNAL IP ADDRESS OF THE RUT-240} [500] to {PUBLIC IP OF THE ASA}[500] (56 bytes)
by anonymous

no shared key found for {INTERNAL IP ADDRESS OF THE RUT-240} - {PUBLIC IP OF THE ASA}

Did you forget to set the PSK ?

by anonymous
Thank you for your reply!

The PSK has been correctly set, there is no doubt on this point on my side.