Mighty
December 1, 2023, 5:27pm
1
I tried the whole day to establish a connection from Android phone to RUTX50.Setting up an IPsec tunnel between RUT and Android phone
But it come up always with the error:
May be this helps:
root@RUTX50:~# cat /var/ipsec/ipsec.conf
# generated by /etc/init.d/ipsec
version 2
conn MS-MS_c
left=%any
right=%any
leftsourceip=10.0.1.0
leftfirewall=yes
rightfirewall=no
ikelifetime=3h
lifetime=3h
margintime=9m
keyingtries=3
dpdaction=none
dpddelay=30s
dpdtimeout=90s
leftauth=psk
rightauth=psk
rightsourceip=10.0.2.0/24
auto=start
leftsubnet=0.0.0.0/0
leftid=192.168.2.1
aggressive=no
forceencaps=no
type=tunnel
keyexchange=ikev2
esp=aes256-sha256-modp1024
ike=aes256-sha256-modp2048
Kind regards, Martin
Hello,
Does your RUTX50 have a public IP address? What are the first two octets (numbers) on your mobile interface? (mob1s1a1 interface in Network → WAN).
Also, are there any other IPSec logs? If not, it is likely that your android phone is not trying to connect (or cannot reach your RUTX50).
Kind Regards,
Mighty
December 4, 2023, 9:43am
4
Hi AndzejJ,
thank you very much for your reply.
Yes, the RUTX50 has a public IP, starting with 37. PORT FORWARDS has the the rule ‘Exclude-IPsec-from-NAT’ and I’ve two other tools which can access my local net from outside so this part is working.
It seems that the error message ‘Fri Dec 1 18:15:21 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|11> unable to resolve %any, initiate aborted’ is created for each try to access my local net with VPN, so it seems that the Android 14 phone can access the VPN entry point but than is rejected.
I’m relatively new to RUTX50 so how can I activate IPSec logging?
Thanks.
AndzejJ
December 4, 2023, 11:13am
5
Hello,
The error message is likely related to the fact that your device act as the server, and since there is no remote IP, you get this error message. The service, however, should work and this error is not an issue. Perhaps you can share more logs from the IPSec logs that are available from the WebUI?
Also, you can access the device via CLI/SSH (username ‘root ’) and execute the following command to check IPSec status:
ipsec statusall
Also, could you please share your IPSec configurations from your android phone?
Please, before sharing any information on a public forum here, make sure you hide any sensitive information that may appear in the logs or configurations, such as public IP addresses, passwords, etc.
Kind Regards,
Mighty
December 4, 2023, 11:57am
6
Hi,
see here:
root@RUTX50:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.10.188, armv7l):
uptime: 2 days, since Dec 01 18:10:20 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp p
em openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Virtual IP pools (size/online/offline):
10.0.2.0/24: 254/0/0
Listening IP addresses:
192.168.2.1
fd7f:...
37....
Connections:
MS-MS_c: %any...%any IKEv2
MS-MS_c: local: [192.168.2.1] uses pre-shared key authentication
MS-MS_c: remote: uses pre-shared key authentication
MS-MS_c: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
I attached my Android Config as Picture.
Thank you.
AndzejJ
December 5, 2023, 11:34am
8
Hello,
Please, remove leftid (local identifier) and leftsourceip. Also, add DNS server (for example, 8.8.8.8).
If the issue persists, try connecting from your android and then execute the following command on the router to view logs:
logread | grep ipsec
Share the logs here. Before sharing the logs, make sure to hide any sensitive information that may appear in the logs, such as public IP addresses.
Kind Regards,
Mighty
December 5, 2023, 12:20pm
9
Hi,
first of all, thanks to all for trying to help. I removed the local identifier (left source ip) and
It’s still not working.
Here’s the log.
Tue Dec 5 13:07:50 2023 daemon.info ipsec: 14[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:07:50 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|10974> unable to resolve %any, initiate aborted
Tue Dec 5 13:08:20 2023 daemon.info ipsec: 10[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:08:20 2023 daemon.info ipsec: 10[IKE] <MS-MS_c|10975> unable to resolve %any, initiate aborted
Tue Dec 5 13:08:50 2023 daemon.info ipsec: 13[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:08:50 2023 daemon.info ipsec: 13[IKE] <MS-MS_c|10976> unable to resolve %any, initiate aborted
Tue Dec 5 13:09:20 2023 daemon.info ipsec: 14[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:09:20 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|10977> unable to resolve %any, initiate aborted
Tue Dec 5 13:09:50 2023 daemon.info ipsec: 08[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:09:50 2023 daemon.info ipsec: 08[IKE] <MS-MS_c|10978> unable to resolve %any, initiate aborted
Tue Dec 5 13:10:20 2023 daemon.info ipsec: 03[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:10:20 2023 daemon.info ipsec: 03[IKE] <MS-MS_c|10979> unable to resolve %any, initiate aborted
Tue Dec 5 13:10:51 2023 daemon.info ipsec: 11[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:10:51 2023 daemon.info ipsec: 11[IKE] <MS-MS_c|10980> unable to resolve %any, initiate aborted
Tue Dec 5 13:11:21 2023 daemon.info ipsec: 08[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:11:21 2023 daemon.info ipsec: 08[IKE] <MS-MS_c|10981> unable to resolve %any, initiate aborted
Tue Dec 5 13:11:51 2023 daemon.info ipsec: 13[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:11:51 2023 daemon.info ipsec: 13[IKE] <MS-MS_c|10982> unable to resolve %any, initiate aborted
Tue Dec 5 13:12:21 2023 daemon.info ipsec: 14[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:12:21 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|10983> unable to resolve %any, initiate aborted
Tue Dec 5 13:12:36 2023 kern.notice kernel: ipsec configuration has been changed
Tue Dec 5 13:12:36 2023 kern.notice kernel: ipsec configuration has been changed
Tue Dec 5 13:12:37 2023 daemon.info ipsec: 00[DMN] SIGINT received, shutting down
Tue Dec 5 13:12:37 2023 authpriv.info ipsec_starter[1559]: charon stopped after 200 ms
Tue Dec 5 13:12:37 2023 authpriv.info ipsec_starter[1559]: ipsec starter stopped
Tue Dec 5 13:12:38 2023 authpriv.info ipsec_starter[28270]: Starting strongSwan 5.9.2 IPsec [starter]...
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.2, Linux 5.10.188, a
rmv7l)
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading secrets from '/var/ipsec/ipsec.secrets'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[CFG] loaded IKE secret for %any
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[LIB] loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x
509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vi
ci updown eap-identity eap-mschapv2 xauth-generic
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 00[JOB] spawning 16 worker threads
Tue Dec 5 13:12:38 2023 authpriv.info ipsec_starter[28270]: charon (28272) started after 80 ms
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 04[CFG] received stroke: add connection 'MS-MS_c'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 04[CFG] adding virtual IP address pool 10.0.2.0/24
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 04[CFG] 'MS-MS_c' has both left- and rightsourceip, but IKE can negotia
te one virtual IP only, ignoring local virtual IP
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 04[CFG] added configuration 'MS-MS_c'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 05[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:12:38 2023 daemon.info ipsec: 05[IKE] <MS-MS_c|1> unable to resolve %any, initiate aborted
Tue Dec 5 13:13:08 2023 daemon.info ipsec: 13[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:13:08 2023 daemon.info ipsec: 13[IKE] <MS-MS_c|2> unable to resolve %any, initiate aborted
Tue Dec 5 13:13:38 2023 daemon.info ipsec: 04[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 13:13:38 2023 daemon.info ipsec: 04[IKE] <MS-MS_c|3> unable to resolve %any, initiate aborted
root@RUTX50:~#
I skipped a lot of messages on the front because they are the same to the first visible log entries.
Edit: added Pictures from the Config.
Kind regards, Martin
AndzejJ
December 5, 2023, 12:33pm
10
Hello,
I would suggest removing local souce IP as well from the WebUI.
However, the issue appears to be that the phone doesn’t even attempt to connect.
Are the default IPSec firewall rules enabled?
Please verify that you have entered the correct IP address on your Android phone.
Do you get an error on your phone? If so, what error do you get?
Kind Regards,
Mighty
December 5, 2023, 12:46pm
11
Hi,
removing local source IP doesn’t help.
All IPSec Traffic Rules are on.
The phone just tries to connect without ending the try or giving an error.
If I open the DynDNS Name on phone with chrome I get an ‘AVGC Login’ Page.
Kind regards, Martin
AndzejJ
December 5, 2023, 12:49pm
12
Hello,
Could you try entering the IP address instead of a DDNS name?
Also, are you connecting to the router over 4G or through a WiFi?
Kind Regards,
Mighty
December 5, 2023, 12:59pm
13
Hi,
I tried the IP but this changed nothing. I’m using 5G but switched for testing to 4G but
I’ll try and old tablet to see, if this works.
Kind regards, Martin
Mighty
December 5, 2023, 1:29pm
14
Hi,
tablet can’t connect, too.
Tue Dec 5 14:25:46 2023 daemon.info ipsec: 13[CFG] received stroke: initiate 'MS-MS_c'
Tue Dec 5 14:25:46 2023 daemon.info ipsec: 13[IKE] <MS-MS_c|92> unable to resolve %any, initiate aborted
How do I remove these 2 error messages? Maybe this is the key?
Kind regards, Martin
AndzejJ
December 8, 2023, 12:46pm
15
Hello,
These messages are normal and are not the cause of these issues. It simply says that the IPSec will not try to connect to a remote IPSec server. Since your router acts as a server, this is irrelevant (you are waiting for a connection, not initiating it). The issue can potentially be related to your firewall. Whenever you configure the IPSec, the rules should be automatically created. Thus, the first thing that I would suggest is to go over all firewall rules - traffic rules, port forwarding, SNAT, and ensure that all IPSec rules are enabled. In case this does not help, then this might indicate that some of the configurations are corrupted. Thus, the suggestion here would be to reset the device to factory defaults and then reconfigure it.
If you are unable to connect even then with these settings, then the issue is somewhere else and the phone simply does not reach the router.
Kind Regards,
1 Like
Mighty
December 12, 2023, 9:01am
17
Hi,
it should be activated by default.
But don’t try to use IPsec with Android 14. It is not working.
Kind regards, Martin.
Mighty
December 12, 2023, 10:49am
19
Thanks. As I wrote in my opening post I used a step by step doc issued by Teltonika, so this should work. But it doesn’t.
Kind regards, Martin
system
December 16, 2023, 5:27pm
21
This topic was automatically closed after 15 days. New replies are no longer allowed.
