Question

Hi  All,

I'm trying to set up an IPSEC VPN Tunnel on a newer RUT955 (FW RUT9_R_00.07.02.1) as the same I have with all my others 30 and more older RUT955s (FW RUT9XX_R_00.06.08.6). On server side, VPN is configured on Fortinet and with RUT9XX_6.08.6 Firmware works perfectly. In my configuration Tunnel name is 9 char long and I discovered that on new RUT firmware is impossible to add a tunnel name longer than 8, so the rut955 config can't match server side config and tunnel can't rise. This is a very big limit for expanding my network (GNSS nation wide  network for Geodesy and Scientific pourpouses). I can't downgrade new RUT955s firmware and i can't renew old devices neither switch to a shorter name configuration working remotly.
Does the 8 char limit is only for the WebUI or it affects in CLI too?
How can I solve it?

Regards

Benedetto Porfidia

Answer 1

SOLVED
Very surprised that following the "BASIC" configuration, ipsec menu doesn't allow to set many parameters that I was thinking they were required and instead without them, tunnel is established flowlessly. In basic mode i didn't set both phases for ikev1 and set only ip end point, local and remote identifier, a random tunnel_name lesser than 8 char long and obviously PSK. Tunnel rised up immediately and in ipsec statusall i got algorithms for phases totally different from the ones i used with previous firmware. Maybe server and client have negotiated phases automatically?

Answer 2

Hello,

This is a known issue. The limit comes from WebUI validation side only. Currently, this limit is planned to be removed in 7.5 firmware version. 

As a temporary workaround, configuration details can be modified by SSH, specifically targeting /etc/config/ipsec file.

First, I suggest to create a working configuration in the current WebUI by giving any name to the instance within the 8 character limit and edit name in the SSH afterwards. Also, make sure the tunnel establishes and configuration is correct, because, because, if instance name is longer than 8 characters, WebUI will not accept configuration changes.

Below are the instructions, on how to modify ipsec configuration via SSH. To login, use command line interface from router's WebUI in System -> CLI page or an SSH client such as PuTTy. Use root as username and router's password to login.

Execute the following command to open configuration file with a text editor:

• vi /etc/config/ipsec

Press letter i to enable editing and change every option, including instance name, set in the WebUI. 

Once done, press Esc, then enter :wq and press Enter.

Then, execute the following command:

• /etc/init.d/ipsec restart

That should be enough to continue using ipsec.

Best regards,

Comments

Thank you for fast reply.

I already tried to edit ipsec config file but starting from a WebUI configuration that can't works due to the mismatch of tunnel name. What i got is that ipsce service doesn't start and the "ipsec statusall" command doesn't return any "state".

regards and thanks again

b.

---

Could you check, if every name related option is edited? I have marked them in the image below:

Otherwise, if the connection does not establish, can you confirm that the other configuration settings are correct?

Also, what is the output of the logs with the command:

• logread | grep ipsec

Best regards,

Answer 3

Hi and thanks again,

I tried many times to create a new config and edit manually them to make it working but without success.

Here is my ipsec config file  (/etc/config/ipsec) with the logread output. Next is the working config ipsec file from another rut955 from previous series.

File formatting is totally different; does it matter???

regards

Benedetto

************************************************************************

root@ISPRA_100:/# cat etc/config/ipsec

config remote 'Sonde_Geo'
    option crypto_proposal 'Sonde_Geo_ph1'
    option _multiple_secrets '0'
    option force_crypto_proposal '0'
    option gateway 'xxx.xxx.xxx.xxx'
    option authentication_method 'psk'
    option pre_shared_key '0xxxxxxxxxxxxxxxxxxxxxxx6f'
    option local_identifier '10.20.0.100'
    option remote_identifier '10.158.254.178'
    list tunnel 'Sonde_Geo_c'
    option enabled '1'

config connection 'Sonde_Geo_c'
    option crypto_proposal 'Sonde_Geo_ph2'
    option defaultroute '0'
    option xauth '0'
    option aggressive 'no'
    option forceencaps 'no'
    option local_firewall 'yes'
    option remote_firewall 'yes'
    option comp_mode '1'
    option _dpd '1'
    option force_crypto_proposal '0'
    option mode 'start'
    option type 'tunnel'
    option keyexchange 'ikev1'
    option dpdaction 'restart'
    option dpddelay '30'
    option dpdtimeout '150'
    option remote_sourceip '10.158.0.0/16'
    option local_sourceip '10.20.0.100'
    option ikelifetime '8h'
    option lifetime '8h'
    list local_subnet '10.20.0.100/32'
    list remote_subnet '10.158.0.0/16'

config proposal 'Sonde_Geo_ph1'
    option encryption_algorithm '3des'
    option hash_algorithm 'sha256'
    option dh_group 'modp2048'

config proposal 'Sonde_Geo_ph2'
    option encryption_algorithm '3des'
    option hash_algorithm 'sha256'
    option dh_group 'modp2048'

**********************************************************

root@ISPRA_100:/# logread | grep ipsec
Thu Jun 15 13:32:56 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 13:32:56 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 13:32:56 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 13:32:56 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 13:32:57 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 13:46:43 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 13:47:09 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 13:47:11 2023 authpriv.info ipsec_starter[25983]: Starting strongSwan 5.9.2 IPsec [starter]...
Thu Jun 15 13:47:12 2023 daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Thu Jun 15 13:47:12 2023 daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Thu Jun 15 13:47:12 2023 daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Thu Jun 15 13:47:12 2023 daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Thu Jun 15 13:47:12 2023 daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Thu Jun 15 13:47:12 2023 daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Thu Jun 15 13:47:12 2023 authpriv.info ipsec_starter[25983]: charon (26001) started after 720 ms
Thu Jun 15 13:53:01 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 13:53:04 2023 authpriv.info ipsec_starter[25983]: charon stopped after 200 ms
Thu Jun 15 13:53:04 2023 authpriv.info ipsec_starter[25983]: ipsec starter stopped
Thu Jun 15 13:53:04 2023 authpriv.info ipsec_starter[27457]: Starting strongSwan 5.9.2 IPsec [starter]...
Thu Jun 15 13:53:05 2023 daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Thu Jun 15 13:53:05 2023 daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Thu Jun 15 13:53:05 2023 daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Thu Jun 15 13:53:05 2023 daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Thu Jun 15 13:53:05 2023 daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Thu Jun 15 13:53:05 2023 daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Thu Jun 15 13:53:05 2023 authpriv.info ipsec_starter[27457]: charon (27459) started after 280 ms
Thu Jun 15 13:53:18 2023 kern.notice kernel: ipsec configuration has been changed
Thu Jun 15 14:05:29 2023 authpriv.info ipsec_starter[27457]: charon stopped after 200 ms
Thu Jun 15 14:05:29 2023 authpriv.info ipsec_starter[27457]: ipsec starter stopped
Thu Jun 15 14:05:30 2023 authpriv.info ipsec_starter[30372]: Starting strongSwan 5.9.2 IPsec [starter]...
Thu Jun 15 14:05:30 2023 daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Thu Jun 15 14:05:30 2023 daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Thu Jun 15 14:05:30 2023 daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Thu Jun 15 14:05:30 2023 daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Thu Jun 15 14:05:30 2023 daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Thu Jun 15 14:05:30 2023 daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Thu Jun 15 14:05:30 2023 authpriv.info ipsec_starter[30372]: charon (30374) started after 260 ms
Thu Jun 15 14:21:27 2023 authpriv.info ipsec_starter[30372]: charon stopped after 200 ms
Thu Jun 15 14:21:27 2023 authpriv.info ipsec_starter[30372]: ipsec starter stopped
Thu Jun 15 14:21:27 2023 authpriv.info ipsec_starter[13223]: Starting strongSwan 5.9.2 IPsec [starter]...
Thu Jun 15 14:21:28 2023 daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Thu Jun 15 14:21:28 2023 daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Thu Jun 15 14:21:28 2023 daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Thu Jun 15 14:21:28 2023 daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Thu Jun 15 14:21:28 2023 daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Thu Jun 15 14:21:28 2023 daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Thu Jun 15 14:21:28 2023 authpriv.info ipsec_starter[13223]: charon (13226) started after 560 ms

*********************************************************************************

and here the working ipsec config file from old rut955s

**********************************************************************************

root@ISPRA_010:~# cat /etc/config/strongswan

config preshared_keys
    option psk_key 'here_psk_human_readable'

config conn 'Sonde_Geo'
    option enabled '1'
    option keyexchange 'ikev1'
    option aggressive 'no'
    option ipsec_type 'tunnel'
    option auto 'start'
    option leftfirewall 'yes'
    option forceencaps 'no'
    option dpdaction 'restart'
    option dpddelay '30'
    option dpdtimeout '150'
    option auth 'psk'
    option right 'xxx.xxx.xxx.xxx'
    option rightfirewall 'yes'
    option keep_enabled '0'
    option ping_ipaddr '10.158.55.254'
    option ping_period '20'
    option allow_webui '0'
    option ike_encryption_algorithm '3des'
    option ike_authentication_algorithm 'sha256'
    option ike_dh_group 'modp2048'
    option ikelifetime '8h'
    option esp_encryption_algorithm '3des'
    option esp_hash_algorithm 'sha256'
    option esp_pfs_group 'modp2048'
    option keylife '8h'
    option my_identifier '128'
    list leftsubnet '10.20.0.10/32'
    list rightsubnet '10.158.0.0/16'