Hello.
I’m trying to setup a IPsec VPN from a fortigate (ver 7.4) to a RUTX50 ( 7.0.4.5 )
I can get P1 upp and running but whatever i do p2 wont work.
I have seen some guides but they are all on old interface for Teltonik routern.
is there maybe a guide how you setup this ipsec?
Hello,
While we do not have any configuration examples for Fortigate, we do have a more general configuration example here. If you want to see configurations between Teltonika and Fortigate, I would suggest search both, this forum, and our old forum here which is in read-only mode.
In case phase 2 fails, I would suggest checking phase 2 proposals, as well as selectors such as local/remote subnets. For firewall, you can check
if local/remote firewall is enabled (or disabled, depending on your network) in IPSec configurations → Connection settings → Advanced settings Tab. If you have multiple IPSec subnets, I would also suggest turning on ‘compatibility mode’ on the same page.
You can also view IPSec logs on RUTX50 to get more information about your issue. For this, you will need to access RUTX50 via CLI/SSH with username ‘root’ and execute the following commands:
ipsec statusall
logread | grep ipsec
Kind Regards,
Hello,
Yeah i tried follow this guides and been looking around but can’t rly find my problem.
i have been on call with fortigate now for 4h and they tried and see if we could find anything on that side but nothing.
P1 works fine.
Is there any rules / settings i need to fix on Teltonika thats missing?
//Sten
Hello,
The first thing I would suggest is to check IPSec logs on the RUTX50 with the commands I have provided. You can remove any sensitive information from the logs, such as public IP addresses, and paste those here.
You can also capture all traffic with TCPDump to check what is being sent and save it to a pcap file. However, please do not share this file on the public forum here.
To install and run TCPdump on RUTX, you can use the following commands from CLI/SSH:
opkg update
opkg install tcpdump
# qmimux0 is the mobile interface on RUTX50.
tcpdump -i qmimux0 -w /tmp/dump.pcap
Then you can download a pcap file from the router using SCP. For example, WinSCP.
Kind Regards,
From the log above:
Thu Oct 12 13:41:07 2023 … scheduling reauthentification in -774s
Next line: maximum IKE_SA lifetime -234s
So you have a negative lifetime for the SA, it is destroyed as soon as it is established.
Beware, if you have modified either IKE Lifetime or Lifetime the unit will be in seconds not hours as the initial greyed value would suggest.
Either set the full value in seconds or add the h suffix for hours.
@AndzejJ : this is an old pitfall, please do something about it the old forum contains several similar issues.
Thanks i changed that now.
//Sten
Do you have a new log ?
Lifetime and IKE_SA Lifetime are still negative. Which value did you use exactly ?
i did change it to what you said. to seconds instead but nothing did happen.
so what i did was to reset the router and redo it all again, and now it works. i got the p2 upp and running right away so something was broken in the vpn.
//Sten
Hello,
I suggest you to upgrade the firmware to the latest available and released a few days ago RutOS 7.5, because I see in the Changelog fixes that might be important to you:
Then, repeat troubleshooting to find if something changed, if the problem still persists try to change IKE_SA Lifetime values to the [seconds] not to short values and not too big
(usually with Fortigate’s I’m using → Lifetime Definition (IPSec SA renegotiation) as 28800 seconds)
Kind Regards.
This topic was automatically closed after 15 days. New replies are no longer allowed.
