FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
395 views 2 comments
by anonymous
hello. It it possible to configure RUTX router with public static ip address to accept ipsec connections from remote PCs with dynamic, grey IP with IKEv2 and x.509 certificate? Currently we have this config on Fortigate, but we want replicate same "ipsec server" on RUTXR for LTE backup link.

If not via GUI, than even manual edit of /etc/config/ipsec will be good enough.

1 Answer

0 votes
by anonymous
Hello,

Could you please clarify your question a bit more?

If you are looking to set up an IPSec server with a public IP and connect a client with a NATed IP to it using IKEv2 and x.509 certificates, it is possible to achieve that.

I haven't tested this configuration with other devices, but I was able to successfully establish a tunnel between a RUTX server with a public IP and a RUT955 client that had a NATed IP address. The setup used IKEv2 and x.509 authentication.

Kind Regards,

Andzej
by anonymous

Client - Windows PC, not a router. I need "Client to Gateway" IPSEC mode with IKEv2 and X.509 certificates.

This mode is possible, if you provision on Teltonika router IKEv1 with XAuth/PSK, i think. But I want to use same VPN scripts, settings, what I use on Windows PC to connect to Fortigate.

I think this config, what i need is described here: OpenWRT roadwarrior with IKEv2, but I am not sure, if "conn rwPUBKEY" part of config can support multiple users.

Again, Teltonika RUTX must be a ipsec server, accepting multiple connections from Windows PC, provideing them with IP address. This is not an IPSEC "Site to Site tunnel" mode.

by anonymous
Hello,

While I haven't personally tested this configuration, it may be possible via CLI. Likely, you wont be able to achieve this configuration via WebUI.

As far as I know, in terms of supporting multiple users, the "conn rwPUBKEY" part of the configuration you mentioned may not directly support multiple users. Each client should have a distinct identifier (such as rightid or FQDN) to differentiate them on the server. Without unique identifiers, the server may not be able to distinguish between multiple clients, and only the first connection will be established while subsequent connections remain in the "connecting" state.

One approach to support multiple users is to configure multiple "conn" sections in the IPsec configuration, each with its own set of X.509 certificates for authentication.

Kind Regards,