8411 questions

9899 answers

15703 comments

14199 members

0 votes
1,703 views 2 comments
by
Hi, is there a configuration example available ipsec ikev1 from cisco asa (static) to rut955 (dynamic)? thanks
by
Did you found any config example yet? if so, can you share it.

2 Answers

0 votes
by
Hi,

Basically configurations should be similar in both sides. So if you already have working configuration with another device, then try to make similar configuration in RUT955.
0 votes
by
Thanks for your reply. In the meanwhile I was able to adopt a running config from

ASA firewall and Fritzbox to ASA firewall and Teltonika RUT955. Below you can find

the config files:

Config Cisco ASA

================

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 1.2.3.4 255.255.255.248

!

interface GigabitEthernet0/2

 nameif dmz2

 security-level 50

 ip address 192.168.2.1 255.255.255.0

!

access-list XXX2 extended permit gre host 192.168.2.2 host 192.168.1.2

!

access-group XXX2 in interface dmz2

!

tunnel-group xxx105.xyz.com type ipsec-l2l

tunnel-group xxx105.xyz.com ipsec-attributes

 ikev1 pre-shared-key ibetyouwontguess

!

crypto ikev1 policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 28800

!

crypto ipsec ikev1 transform-set VPN-TRANSFORM-SET esp-aes-256 esp-sha-hmac

!

crypto dynamic-map OUT-DYNAMIC-MAP 1 set ikev1 transform-set VPN-TRANSFORM-SET

crypto dynamic-map OUT-DYNAMIC-MAP 1 set reverse-route

!

crypto map OUT-CRYPTO-MAP 65535 ipsec-isakmp dynamic OUT-DYNAMIC-MAP

!

crypto map OUT-CRYPTO-MAP interface outside

crypto ikev1 enable outside

!

Fritzbox IPSEC Importconfigfile

===============================

/*

 * xxx105_xyz_com.cfg

 * Mar 18 12:00:00 2019

 */

vpncfg {

        connections {

                enabled = yes;

                editable = no;

                conn_type = conntype_lan;

                name = "XXX105";

                always_renew = yes;

                reject_not_encrypted = no;

                dont_filter_netbios = yes;

                localip = 0.0.0.0;

                local_virtualip = 0.0.0.0;

                remoteip = 1.2.3.4;

                remote_virtualip = 0.0.0.0;

                keepalive_ip = 192.168.2.2;

                localid {

                        fqdn = "xxx105.xyz.com";

                }

                remoteid {

                        ipaddr = 1.2.3.4;

                }

                mode = phase1_mode_aggressive;

                phase1ss = "LT8h/all/all/all";

                keytype = connkeytype_pre_shared;

                key = "ibetyouwontguess";

                cert_do_server_auth = no;

                use_nat_t = no;

                use_xauth = no;

                use_cfgmode = no;

                phase2localid {

                        ipnet {

                                ipaddr = 192.168.1.0;

                                mask = 255.255.255.0;

                        }

                }

                phase2remoteid {

                        ipnet {

                                ipaddr = 192.168.2.0;

                                mask = 255.255.255.0;

                        }

                }

                phase2ss = "LT8h/esp-all-all/ah-none/comp-all/no-pfs";

                accesslist = "permit ip 192.168.1.2 255.255.255.255 192.168.2.2 255.255.255.255";

        }

        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",

                            "udp 0.0.0.0:4500 0.0.0.0:4500";

}

// EOF

Configuration Teltonika RUT955 RUT9XX_R_00.06.03.2

==================================================

IPsec

IPsec Configuration

Name                   XXX105  

Enabled                yes

Mode                   Aggressive

Dead Peer Detection    Enabled

Remote VPN endpoint    1.2.3.4

Pre-shared Keys

Pre-shared key         ibetyouwontguess

Secret's ID selector   1.2.3.4

Enable                         yes

IKE version                    IKEv1

Mode                           Aggressive

Type                           Tunnel

My identifier type             FQDN

On startup                     Start

My identifier                  xxx105.xyz.com

Local IP address/Subnet mask   192.168.1.0/24

Left firewall                  yes

Force encapsulation            no

Dead Peer Detection            yes

Delay                          25

Timeout                        55

Remote VPN endpoint            1.2.3.4

Remote IP address/Subnet mask  192.168.2.0/24

Right firewall                 yes

Enable keepalive               no

Host                           

Ping period (sec)              

Allow WebUI access             no

Custom options                 

Phase 1

Encryption algorithm    AES 256

Authentication          SHA1

DH group                MODP1024

Lifetime (h)            8 Hours

Phase 2

Encryption algorithm    AES 256

Hash algorithm          SHA1

PFS group               No PFS

Lifetime (h)            8 Hours
by

Hi,

there are two concerning items regarding the described ipsec tunnel:

- the RUT955 manual says that use of FQDN is only supported with IKEv2. I configured FQDN with IKEv1 and the ipsec tunnel is up and running.

- despite the ipsec tunnel up and running there is a problem with traffic over the tunnel. After configuring and having the ipsec tunnel up and running there is no traffic flow. After some amount of time (3 or 4 hours or so) the traffic suddenly flows without changing anything.

Could anyone please help?