Hi Teltonika Support,
I would like to establish an Ipsec Dail up tunnel with Fortigate having ports open for the connection and running FortiOS v6 where Teltonika RUTX09 is behind NAT. This is an overview
Teltonika RUTX09 (all ports closed, behind NAT) --> Fortigate (Ipsec Ports open)
My initial connection is established successfully but CHILD_SA is deleted after some retries and the tunnel restarted. Details are can be found in the logs below:
Syslog #
#######
Mon Jun 17 08:30:22 2019 kern.emerg Starting
Mon Jun 17 08:30:22 2019 kern.emerg weak
Mon Jun 17 08:30:22 2019 kern.emerg Swan 5.6.2 IPsec [starter]...
Mon Jun 17 08:30:22 2019 kern.emerg
Mon Jun 17 08:30:22 2019 authpriv.info ipsec_starter[4272]: Starting weakSwan 5.6.2 IPsec [starter]...
Mon Jun 17 08:30:22 2019 kern.emerg !! Your strongswan.conf contains manual plugin load options for charon.
Mon Jun 17 08:30:22 2019 kern.emerg
Mon Jun 17 08:30:22 2019 authpriv.info ipsec_starter[4272]: !! Your strongswan.conf contains manual plugin load options for charon.
Mon Jun 17 08:30:22 2019 kern.emerg !! This is recommended for experts only, see
Mon Jun 17 08:30:22 2019 kern.emerg
Mon Jun 17 08:30:22 2019 authpriv.info ipsec_starter[4272]: !! This is recommended for experts only, see
Mon Jun 17 08:30:22 2019 kern.emerg !!
http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Mon Jun 17 08:30:22 2019 kern.emerg
Mon Jun 17 08:30:22 2019 authpriv.info ipsec_starter[4272]: !!
http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Mon Jun 17 08:30:22 2019 daemon.err modprobe: ah4 is already loaded
Mon Jun 17 08:30:22 2019 daemon.err modprobe: esp4 is already loaded
Mon Jun 17 08:30:22 2019 daemon.err modprobe: ipcomp is already loaded
Mon Jun 17 08:30:22 2019 daemon.err modprobe: xfrm4_tunnel is already loaded
Mon Jun 17 08:30:22 2019 daemon.err modprobe: xfrm_user is already loaded
Mon Jun 17 08:30:22 2019 daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.14.77, armv7l)
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[CFG] loaded IKE secret for %any
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic vici
Mon Jun 17 08:30:23 2019 daemon.info syslog: 00[JOB] spawning 16 worker threads
Mon Jun 17 08:30:23 2019 authpriv.info ipsec_starter[4282]: charon (4283) started after 580 ms
Mon Jun 17 08:30:23 2019 daemon.info syslog: 05[CFG] received stroke: add connection 'passthrough0'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 05[CFG] added configuration 'passthrough0'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 07[CFG] received stroke: route 'passthrough0'
Mon Jun 17 08:30:23 2019 authpriv.info ipsec_starter[4282]: 'passthrough0' shunt PASS policy installed
Mon Jun 17 08:30:23 2019 authpriv.info ipsec_starter[4282]:
Mon Jun 17 08:30:23 2019 daemon.info syslog: 10[CFG] received stroke: add connection 'XXX'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 10[CFG] added configuration 'XXX'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 13[CFG] received stroke: initiate 'XXX'
Mon Jun 17 08:30:23 2019 daemon.info syslog: 13[IKE] initiating Aggressive Mode IKE_SA XXX[1] to XX.XX.XX.XX
Mon Jun 17 08:30:23 2019 authpriv.info syslog: 13[IKE] initiating Aggressive Mode IKE_SA XXX[1] to XX.XX.XX.XX
Mon Jun 17 08:30:23 2019 daemon.info syslog: 13[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 13[NET] sending packet: from 192.168.12.96[500] to XX.XX.XX.XX[500] (528 bytes)
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[NET] received packet: from XX.XX.XX.XX[500] to 192.168.12.96[500] (652 bytes)
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V ]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] received NAT-T (RFC 3947) vendor ID
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] received DPD vendor ID
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] received FRAGMENTATION vendor ID
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] received FRAGMENTATION vendor ID
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] local host is behind NAT, sending keep alives
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] remote host is behind NAT
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] IKE_SA XXX[1] established between 192.168.12.96[Wall04At]...XX.XX.XX.XX[10.113.97.228]
Mon Jun 17 08:30:23 2019 authpriv.info syslog: 15[IKE] IKE_SA XXX[1] established between 192.168.12.96[Wall04At]...XX.XX.XX.XX[10.113.97.228]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] scheduling reauthentication in 3312s
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[IKE] maximum IKE_SA lifetime 3492s
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (188 bytes)
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[ENC] generating QUICK_MODE request 2908649143 [ HASH SA No KE ID ID ]
Mon Jun 17 08:30:23 2019 daemon.info syslog: 15[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:30:27 2019 daemon.info syslog: 14[IKE] sending retransmit 1 of request message ID 2908649143, seq 3
Mon Jun 17 08:30:27 2019 daemon.info syslog: 14[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:30:35 2019 daemon.info syslog: 06[IKE] sending retransmit 2 of request message ID 2908649143, seq 3
Mon Jun 17 08:30:35 2019 daemon.info syslog: 06[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:30:47 2019 daemon.info syslog: 08[IKE] sending retransmit 3 of request message ID 2908649143, seq 3
Mon Jun 17 08:30:47 2019 daemon.info syslog: 08[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:31:07 2019 daemon.info syslog: 13[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:31:11 2019 daemon.info syslog: 10[IKE] sending retransmit 4 of request message ID 2908649143, seq 3
Mon Jun 17 08:31:11 2019 daemon.info syslog: 10[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:31:30 2019 daemon.info syslog: 15[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:31:50 2019 daemon.info syslog: 08[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:31:53 2019 daemon.info syslog: 15[IKE] sending retransmit 5 of request message ID 2908649143, seq 3
Mon Jun 17 08:31:53 2019 daemon.info syslog: 15[NET] sending packet: from 192.168.12.96[4500] to XX.XX.XX.XX[4500] (476 bytes)
Mon Jun 17 08:32:12 2019 daemon.info syslog: 04[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:32:32 2019 daemon.info syslog: 12[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:32:52 2019 daemon.info syslog: 06[IKE] sending keep alive to XX.XX.XX.XX[4500]
Mon Jun 17 08:33:08 2019 daemon.info syslog: 13[KNL] creating delete job for CHILD_SA ESP/0xc8ef6c49/192.168.12.96
Mon Jun 17 08:33:08 2019 daemon.info syslog: 13[JOB] CHILD_SA ESP/0xc8ef6c49/192.168.12.96 not found for delete
Mon Jun 17 08:33:08 2019 daemon.info syslog: 09[IKE] giving up after 5 retransmits
strongswan config #
################
config conn 'XXX'
option keyexchange 'ikev1'
option aggressive 'yes'
option ipsec_type 'tunnel'
option my_identifier_type 'fqdn'
option my_identifier 'Wall04At'
option psk_key 'XXX'
option right 'XXX'
option ike_encryption_algorithm 'aes256'
option ike_authentication_algorithm 'sha384'
option ike_dh_group 'modp2048'
option esp_encryption_algorithm 'aes256'
option esp_hash_algorithm 'sha384'
option esp_pfs_group 'modp2048'
option ikelifetime '8h'
option keylife '8h'
option allow_webui '1'
option dpdaction 'none'
option leftfirewall 'yes'
option rightfirewall 'yes'
option forceencaps 'no'
list leftsubnet '10.32.0.8/29'
list rightsubnet '10.113.97.192/28'
option enabled '1'
Best regards