FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
114 views 0 comments
by anonymous
Hello,
i need help for configuring VTI for IPsec VPN to be able to do routed VPN (with X.509 auth) at an RUTX11 with firmware version 00.07.04.3 .
(Remark: i need to do route based VPN to connect to HQ with 2 different ISP IP adresses and failover between them and at the HQ this is forced to be used.)

A policy based IPsec VPN tunnel with X.509 as authentication method  is up and working correctly. I need to do VTI for route based VPN now.

I have looked at different sites and videos for hints but was not able to configure it successfully, because the RUTX11 is too different compared to the given instructions.
The sites i have looked at are e.g.:
https://www.youtube.com/watch?v=HDqAl_PozCU (=How To Establish IPsec Site To Site VPN Tunnel Via VTI. | Linux | OpenWrt )
https://community.teltonika-networks.com/31961/rutx-routed-vpn?show=31961#q31961
https://docs.strongswan.org/docs/5.9/features/routeBasedVpn.html etc.

I have compiled a custom firmware with activated kernel-modules "kmod-ip-vti" and "kmod-ip6-vti" to be able to do a successful "opkg install vti".

But then i am stucked and i need help or more detailed steps to perform this task.

E.g. problems are what do i have to enter where to do a configuration which is also active after reboot of the router?
I tried UC commands but did not found out which to use completely.
I tried to edit /etc/init.d/ipsec , but was not able to do the correct things.
I think editing /var/ipsec/strongswan.conf or ipsec.conf will be lost at reboot and /etc/ipsec.conf is also not the right place.
Thanks!

1 Answer

0 votes
by anonymous

Hello,

  

Route-based VPNs are not currently supported on our devices. As I understand you have already compiled the firmware with the VTI package and kernel modules.

Since we do not support it, it is unlikely that you will be able to create all of the configurations using only the WebUI. To create the VTI instance itself, you will either need to edit the /etc/config/network file or use the UCI commands to apply the changes. To find VTI-related settings in UCI, use the command uci show | grep vti.

I would also recommend checking out other OpenWRT resources related to VTI like this forum post. This wiki article also describes the values used for VTI in the configuration file.

Hope this helps!

  

Best regards,
DaumantasG

Best answer