FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
1,197 views 4 comments
by
Hi!

We updated our RUT240 to the latest Firmware Version 1.07.1.

After the update only the first IPsec VPN-Connection works. The second one can only establish Phase 1. In Phase 2 we see the tunnel "192.168.22.0/24 === DYNAMIC Tunnel". But this is wrong! It should be "192.168.22.0/24 === 192.168.18.0/24". The first VPN connection (that always works) has the tunnel "192.168.22.0/24 === 192.168.0.0/24".

If we deactivate the first VPN connection (with tunnel 192.168.0.0/24), the second VPN connection is established with tunnel "192.168.22.0/24 === 192.168.18.0/24". After activating the first VPN again, the first one is only connected and the second one is lost again with the dynamic tunnel.

Till the update the both VPN's are working fine.

We already tried deleting and create the second VPN again. We also tried using a different PSK for both VPN's.

Maybe this is a known issue?

Best regards

Nico

1 Answer

0 votes
by anonymous
Hi,

Perhaps you was keeping old settings when upgrading? If so, try to reinstall router firmware without keeping old settings and reconfigure it manually.
by
Sure...We used this option, because we need the benefits of this function!

This device isn't in my local office, so I'm not able to configure it, if I reset it.

Best regards

Nico
by anonymous
There was made some changes in router firmware which is related with IPsec. So would be better to upgrade without keeping setting.

When will have possibility, upgrade router firmware locally without keeping old settings.
by

With upgrade to firmware 1.06.x we didn't have this issue and with that version, everything was working fine (on many devices)...

I now made a new firmware-update without keeping our old settings.

But still the same problem. Here I exported the result of "ipsec statusall"

external IP and domains are censored.




BusyBox v1.30.1 () built-in shell (ash)                                                       
  ____        _    ___  ____        _(_)_                                                    
  |  _ \ _   _| |_ / _ \/ ___|      (_)@(_)                                                   
  | |_) | | | | __| | | \___ \       /(_)                                                     
  |  _ <| |_| | |_| |_| |___) |    \|/                                                        
  |_| \_\\__,_|\__|\___/|____/     \|/                                                        

                                                                                              
Teltonika RUT2XX 2017 - 2019                                                                  
root@Teltonika:~# ipsec statusall                                                             
Status of IKE charon daemon (weakSwan 5.6.2, Linux 3.18.44, mips):                            
  uptime: 4 minutes, since Jun 20 15:04:32 2019                                               
  malloc: sbrk 147456, mmap 0, used 132160, free 15296                                        
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4            
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints 
  pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve 
  socket-default stroke updown xauth-generic                                                              
Listening IP addresses:                                                                       
  xx.xx.64.76                                                                                 
  192.168.22.1                                                                                
Connections:                                                                                  
passthrough0:  %any...%any  IKEv1/2                                                           
passthrough0:   local:  uses public key authentication                                        
passthrough0:   remote: uses public key authentication                                        
passthrough0:   child:  192.168.22.0/24 === 192.168.22.0/24 PASS                              
   Usedomstr:  xx.xx.64.76...xxx.xxx.92.5  IKEv1 Aggressive                                    
   Usedomstr:   local:  [xxxxxx.dyndns.org] uses pre-shared key authentication            
   Usedomstr:   remote: uses pre-shared key authentication                                    
   Usedomstr:   child:  192.168.22.0/24 === 192.168.0.0/24 TUNNEL                             
       Leuna:  xx.xx.64.76...xxx.xxx.164.174  IKEv1 Aggressive                                
       Leuna:   local:  [xxxxxx.dyndns.org] uses pre-shared key authentication            
       Leuna:   remote: uses pre-shared key authentication                                    
       Leuna:   child:  192.168.22.0/24 === dynamic TUNNEL                                    
Shunted Connections:                                                                          
passthrough0:  192.168.22.0/24 === 192.168.22.0/24 PASS                                       
Security Associations (2 up, 0 connecting):                                                   
       Leuna[2]: ESTABLISHED 4 minutes ago, xx.xx.64.76[xxxxxx.dyndns.org]...xxx.xxx.164.174[xxx.xxx.164.174]                                                                           
       Leuna[2]: IKEv1 SPIs: c2f8c266230ae596_i* 9df541e0919f310f_r, pre-shared key reauthentication in 7 hours                                                                             
       Leuna[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024                  
   Usedomstr[1]: ESTABLISHED 4 minutes ago, xx.xx.64.76[xxxxxx.dyndns.org]...xx.xxx.92.5[xx.xxx.92.5]                                                                                   
   Usedomstr[1]: IKEv1 SPIs: bf9ad82221b84267_i* 6fab5c67616290e0_r, pre-shared key reauthentication in 7 hours                                                                             
   Usedomstr[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024                  
   Usedomstr{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c56f1ec7_i ee6e4da0_o          
   Usedomstr{1}:  3DES_CBC/HMAC_SHA1_96/MODP_1024, 4496 bytes_i (8 pkts, 236s ago), 2557 bytes_o (10 pkts, 236s ago), rekeying in 50 minutes                                                
   Usedomstr{1}:   192.168.22.0/24 === 192.168.0.0/24
by anonymous
Hi,

Could you send me troubleshoot package when issue is appeared in private message (press on my account) ?