8411 questions

9899 answers


14199 members

0 votes
1,703 views 2 comments
Hi, is there a configuration example available ipsec ikev1 from cisco asa (static) to rut955 (dynamic)? thanks
Did you found any config example yet? if so, can you share it.

2 Answers

0 votes

Basically configurations should be similar in both sides. So if you already have working configuration with another device, then try to make similar configuration in RUT955.
0 votes
Thanks for your reply. In the meanwhile I was able to adopt a running config from

ASA firewall and Fritzbox to ASA firewall and Teltonika RUT955. Below you can find

the config files:

Config Cisco ASA



interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address


interface GigabitEthernet0/2

 nameif dmz2

 security-level 50

 ip address


access-list XXX2 extended permit gre host host


access-group XXX2 in interface dmz2


tunnel-group xxx105.xyz.com type ipsec-l2l

tunnel-group xxx105.xyz.com ipsec-attributes

 ikev1 pre-shared-key ibetyouwontguess


crypto ikev1 policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 28800


crypto ipsec ikev1 transform-set VPN-TRANSFORM-SET esp-aes-256 esp-sha-hmac


crypto dynamic-map OUT-DYNAMIC-MAP 1 set ikev1 transform-set VPN-TRANSFORM-SET

crypto dynamic-map OUT-DYNAMIC-MAP 1 set reverse-route


crypto map OUT-CRYPTO-MAP 65535 ipsec-isakmp dynamic OUT-DYNAMIC-MAP


crypto map OUT-CRYPTO-MAP interface outside

crypto ikev1 enable outside


Fritzbox IPSEC Importconfigfile



 * xxx105_xyz_com.cfg

 * Mar 18 12:00:00 2019


vpncfg {

        connections {

                enabled = yes;

                editable = no;

                conn_type = conntype_lan;

                name = "XXX105";

                always_renew = yes;

                reject_not_encrypted = no;

                dont_filter_netbios = yes;

                localip =;

                local_virtualip =;

                remoteip =;

                remote_virtualip =;

                keepalive_ip =;

                localid {

                        fqdn = "xxx105.xyz.com";


                remoteid {

                        ipaddr =;


                mode = phase1_mode_aggressive;

                phase1ss = "LT8h/all/all/all";

                keytype = connkeytype_pre_shared;

                key = "ibetyouwontguess";

                cert_do_server_auth = no;

                use_nat_t = no;

                use_xauth = no;

                use_cfgmode = no;

                phase2localid {

                        ipnet {

                                ipaddr =;

                                mask =;



                phase2remoteid {

                        ipnet {

                                ipaddr =;

                                mask =;



                phase2ss = "LT8h/esp-all-all/ah-none/comp-all/no-pfs";

                accesslist = "permit ip";


        ike_forward_rules = "udp",



// EOF

Configuration Teltonika RUT955 RUT9XX_R_00.06.03.2



IPsec Configuration

Name                   XXX105  

Enabled                yes

Mode                   Aggressive

Dead Peer Detection    Enabled

Remote VPN endpoint

Pre-shared Keys

Pre-shared key         ibetyouwontguess

Secret's ID selector

Enable                         yes

IKE version                    IKEv1

Mode                           Aggressive

Type                           Tunnel

My identifier type             FQDN

On startup                     Start

My identifier                  xxx105.xyz.com

Local IP address/Subnet mask

Left firewall                  yes

Force encapsulation            no

Dead Peer Detection            yes

Delay                          25

Timeout                        55

Remote VPN endpoint  

Remote IP address/Subnet mask

Right firewall                 yes

Enable keepalive               no


Ping period (sec)              

Allow WebUI access             no

Custom options                 

Phase 1

Encryption algorithm    AES 256

Authentication          SHA1

DH group                MODP1024

Lifetime (h)            8 Hours

Phase 2

Encryption algorithm    AES 256

Hash algorithm          SHA1

PFS group               No PFS

Lifetime (h)            8 Hours


there are two concerning items regarding the described ipsec tunnel:

- the RUT955 manual says that use of FQDN is only supported with IKEv2. I configured FQDN with IKEv1 and the ipsec tunnel is up and running.

- despite the ipsec tunnel up and running there is a problem with traffic over the tunnel. After configuring and having the ipsec tunnel up and running there is no traffic flow. After some amount of time (3 or 4 hours or so) the traffic suddenly flows without changing anything.

Could anyone please help?