FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12078 questions

14373 answers

22645 comments

36197 members

0 votes
1,852 views 1 comments
by
Hi Teltonika Support,

I would like to establish an Ipsec Dail up tunnel with Fortigate having ports open for the connection and running FortiOS v6 where Teltonika RUTX09 is behind NAT. This is an overview

Teltonika RUTX09 (all ports closed, behind NAT) --> Fortigate (Ipsec Ports open)

My initial connection is established successfully but CHILD_SA is deleted after some retries and the tunnel restarted. Details are can be found in the logs below:

Syslog #
#######

Mon Jun 17 08:30:22 2019 kern.emerg Starting
Mon Jun 17 08:30:22 2019 kern.emerg weak
Mon Jun 17 08:30:22 2019 kern.emerg Swan 5.6.2 IPsec [starter]...
Mon Jun 17 08:30:22 2019 kern.emerg
Mon Jun 17 08:30:22 2019 authpriv.info ipsec_starter[4272]: Starting weakSwan 5.6.2 IPsec [starter]...
Mon Jun 17 08:30:22 2019 kern.emerg !! Your strongswan.conf contains manual plugin load options for charon.
Mon Jun 17 08:30:22 2019 kern.emerg
Mon Jun 17 08:30:22 2019 authpriv.info ipsec_starter[4272]: !! Your strongswan.conf contains manual plugin load options for charon.
Mon Jun 17 08:30:22 2019 kern.emerg !! This is recommended for experts only, see
Mon Jun 17 08:30:22 2019 kern.emerg
Mon Jun 17 08:30:22 2019 authpriv.info ipsec_starter[4272]: !! This is recommended for experts only, see
Mon Jun 17 08:30:22 2019 kern.emerg !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Mon Jun 17 08:30:22 2019 kern.emerg
Mon Jun 17 08:30:22 2019 authpriv.info ipsec_starter[4272]: !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Mon Jun 17 08:30:22 2019 daemon.err modprobe: ah4 is already loaded
Mon Jun 17 08:30:22 2019 daemon.err modprobe: esp4 is already loaded
Mon Jun 17 08:30:22 2019 daemon.err modprobe: ipcomp is already loaded
Mon Jun 17 08:30:22 2019 daemon.err modprobe: xfrm4_tunnel is already loaded
Mon Jun 17 08:30:22 2019 daemon.err modprobe: xfrm_user is already loaded
Mon Jun 17 08:30:22 2019 daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.14.77, armv7l)
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG]   loaded IKE secret for %any
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic vici
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[JOB] spawning 16 worker threads
Mon Jun 17 08:30:23 2019 authpriv.info ipsec_starter[4282]: charon (4283) started after 580 ms
Mon Jun 17 08:30:23 2019 daemon.info syslog: 05[CFG] received stroke: add connection 'passthrough0'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 05[CFG] added configuration 'passthrough0'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 07[CFG] received stroke: route 'passthrough0'
Mon Jun 17 08:30:23 2019 authpriv.info ipsec_starter[4282]: 'passthrough0' shunt PASS policy installed
Mon Jun 17 08:30:23 2019 authpriv.info ipsec_starter[4282]:
Mon Jun 17 08:30:23 2019 daemon.info syslog: 10[CFG] received stroke: add connection 'XXX'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 10[CFG] added configuration 'XXX'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 13[CFG] received stroke: initiate 'XXX'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 13[IKE] initiating Aggressive Mode IKE_SA XXX[1] to XX.XX.XX.XX
Mon Jun 17 08:30:23 2019 authpriv.info syslog: 13[IKE] initiating Aggressive Mode IKE_SA XXX[1] to XX.XX.XX.XX
Mon Jun 17 08:30:23 2019 daemon.info syslog: 13[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 13[NET] sending packet: from 192.168.12.96[500] to XX.XX.XX.XX[500] (528 bytes)
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[NET] received packet: from XX.XX.XX.XX[500] to 192.168.12.96[500] (652 bytes)
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V ]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] received NAT-T (RFC 3947) vendor ID
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] received DPD vendor ID
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] received FRAGMENTATION vendor ID
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] received FRAGMENTATION vendor ID
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] local host is behind NAT, sending keep alives
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] remote host is behind NAT
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] IKE_SA XXX[1] established between 192.168.12.96[Wall04At]...XX.XX.XX.XX[10.113.97.228]
Mon Jun 17 08:30:23 2019 authpriv.info syslog: 15[IKE] IKE_SA XXX[1] established between 192.168.12.96[Wall04At]...XX.XX.XX.XX[10.113.97.228]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] scheduling reauthentication in 3312s
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] maximum IKE_SA lifetime 3492s
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (188 bytes)
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[ENC] generating QUICK_MODE request 2908649143 [ HASH SA No KE ID ID ]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:30:27 2019 daemon.info syslog: 14[IKE] sending retransmit 1 of request message ID 2908649143, seq 3
Mon Jun 17 08:30:27 2019 daemon.info syslog: 14[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:30:35 2019 daemon.info syslog: 06[IKE] sending retransmit 2 of request message ID 2908649143, seq 3
Mon Jun 17 08:30:35 2019 daemon.info syslog: 06[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:30:47 2019 daemon.info syslog: 08[IKE] sending retransmit 3 of request message ID 2908649143, seq 3
Mon Jun 17 08:30:47 2019 daemon.info syslog: 08[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:31:07 2019 daemon.info syslog: 13[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:31:11 2019 daemon.info syslog: 10[IKE] sending retransmit 4 of request message ID 2908649143, seq 3
Mon Jun 17 08:31:11 2019 daemon.info syslog: 10[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:31:30 2019 daemon.info syslog: 15[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:31:50 2019 daemon.info syslog: 08[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:31:53 2019 daemon.info syslog: 15[IKE] sending retransmit 5 of request message ID 2908649143, seq 3
Mon Jun 17 08:31:53 2019 daemon.info syslog: 15[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:32:12 2019 daemon.info syslog: 04[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:32:32 2019 daemon.info syslog: 12[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:32:52 2019 daemon.info syslog: 06[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:33:08 2019 daemon.info syslog: 13[KNL] creating delete job for CHILD_SA ESP/0xc8ef6c49/192.168.12.96
Mon Jun 17 08:33:08 2019 daemon.info syslog: 13[JOB] CHILD_SA ESP/0xc8ef6c49/192.168.12.96 not found for delete
Mon Jun 17 08:33:08 2019 daemon.info syslog: 09[IKE] giving up after 5 retransmits

strongswan config #
################

config conn 'XXX'
    option keyexchange 'ikev1'
    option aggressive 'yes'
    option ipsec_type 'tunnel'
    option my_identifier_type 'fqdn'
    option my_identifier 'Wall04At'
    option psk_key 'XXX'
    option right 'XXX'
    option ike_encryption_algorithm 'aes256'
    option ike_authentication_algorithm 'sha384'
    option ike_dh_group 'modp2048'
    option esp_encryption_algorithm 'aes256'
    option esp_hash_algorithm 'sha384'
    option esp_pfs_group 'modp2048'
    option ikelifetime '8h'
    option keylife '8h'
    option allow_webui '1'
    option dpdaction 'none'
    option leftfirewall 'yes'
    option rightfirewall 'yes'
    option forceencaps 'no'
    list leftsubnet '10.32.0.8/29'
    list rightsubnet '10.113.97.192/28'
    option enabled '1'

Best regards

1 Answer

0 votes
by
Hello,

there is nothing special in this configuration.

Can you check with tcpdump are your packets leaving router to fortigate? And check if fortigate got something in 4500 port.

If packets leave RUTX and won't reach fortigate, there should be something with firewall on fortigate side.
by
Thanks for your quick reply.

Packets are leaving RUTX and are sent from Fortigate:

root@Teltonika-RUTX09:~# tcpdump -i any -n host xx.xx.xx.xx

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

05:11:58.906295 IP 192.168.12.96.500 > xx.xx.xx.xx.500: isakmp: phase 1 I agg

05:11:58.936977 IP xx.xx.xx.xx.500 > 192.168.12.96.500: isakmp: phase 1 R agg

05:11:59.113560 IP 192.168.12.96.4500 > xx.xx.xx.xx.4500: NONESP-encap: isakmp: phase 1 I agg[E]

05:11:59.286219 IP 192.168.12.96.4500 > xx.xx.xx.xx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

05:12:03.286844 IP 192.168.12.96.4500 > xx.xx.xx.xx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

05:12:09.162979 IP xx.xx.xx.xx.4500 > 192.168.12.96.4500: isakmp-nat-keep-alive

05:12:10.488856 IP 192.168.12.96.4500 > xx.xx.xx.xx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

05:12:19.181517 IP xx.xx.xx.xx.4500 > 192.168.12.96.4500: isakmp-nat-keep-alive

05:12:23.450660 IP 192.168.12.96.4500 > xx.xx.xx.xx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

05:12:29.200200 IP xx.xx.xx.xx.4500 > 192.168.12.96.4500: isakmp-nat-keep-alive

05:12:39.218812 IP xx.xx.xx.xx.4500 > 192.168.12.96.4500: isakmp-nat-keep-alive

05:12:43.113428 IP 192.168.12.96.4500 > xx.xx.xx.xx.4500: isakmp-nat-keep-alive

05:12:46.780386 IP 192.168.12.96.4500 > xx.xx.xx.xx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

05:12:49.237550 IP xx.xx.xx.xx.4500 > 192.168.12.96.4500: isakmp-nat-keep-alive

05:12:59.256260 IP xx.xx.xx.xx.4500 > 192.168.12.96.4500: isakmp-nat-keep-alive

05:13:06.114880 IP 192.168.12.96.4500 > xx.xx.xx.xx.4500: isakmp-nat-keep-alive

05:13:09.274824 IP xx.xx.xx.xx.4500 > 192.168.12.96.4500: isakmp-nat-keep-alive

^C

17 packets captured

17 packets received by filter

0 packets dropped by kernel