I’m trying to setup a IPsec VPN from a fortigate (ver 7.4) to a RUTX50 ( 220.127.116.11 )
I can get P1 upp and running but whatever i do p2 wont work.
- I run RUTX50 with 4 and 5g, and having a dyndns.
- Fortigate find the IP and all good.
I have seen some guides but they are all on old interface for Teltonik routern.
- My interface in RUTX50 looks complete diffrent from all the guides out there.
is there maybe a guide how you setup this ipsec?
While we do not have any configuration examples for Fortigate, we do have a more general configuration example here. If you want to see configurations between Teltonika and Fortigate, I would suggest search both, this forum, and our old forum here which is in read-only mode.
In case phase 2 fails, I would suggest checking phase 2 proposals, as well as selectors such as local/remote subnets. For firewall, you can check
if local/remote firewall is enabled (or disabled, depending on your network) in IPSec configurations → Connection settings → Advanced settings Tab. If you have multiple IPSec subnets, I would also suggest turning on ‘compatibility mode’ on the same page.
You can also view IPSec logs on RUTX50 to get more information about your issue. For this, you will need to access RUTX50 via CLI/SSH with username ‘root’ and execute the following commands:
logread | grep ipsec
Yeah i tried follow this guides and been looking around but can’t rly find my problem.
i have been on call with fortigate now for 4h and they tried and see if we could find anything on that side but nothing.
P1 works fine.
- Fortigate sends out data for P2 but we are not geting a respond from Teltonika.
- When we ran the sniffer trace, we are able to confirm that we are getting in and out packets for port 500 also
Is there any rules / settings i need to fix on Teltonika thats missing?
The first thing I would suggest is to check IPSec logs on the RUTX50 with the commands I have provided. You can remove any sensitive information from the logs, such as public IP addresses, and paste those here.
You can also capture all traffic with TCPDump to check what is being sent and save it to a pcap file. However, please do not share this file on the public forum here.
To install and run TCPdump on RUTX, you can use the following commands from CLI/SSH:
opkg install tcpdump
# qmimux0 is the mobile interface on RUTX50.
tcpdump -i qmimux0 -w /tmp/dump.pcap
Then you can download a pcap file from the router using SCP. For example, WinSCP.
From the log above:
Thu Oct 12 13:41:07 2023 … scheduling reauthentification in -774s
Next line: maximum IKE_SA lifetime -234s
So you have a negative lifetime for the SA, it is destroyed as soon as it is established.
Beware, if you have modified either IKE Lifetime or Lifetime the unit will be in seconds not hours as the initial greyed value would suggest.
Either set the full value in seconds or add the h suffix for hours.
@AndzejJ : this is an old pitfall, please do something about it the old forum contains several similar issues.
Thanks i changed that now.
- Still i dont think thats the main problem, still not working.
- P2 is still down.
You right its still there even if i changed it with the new log.
Lifetime and IKE_SA Lifetime are still negative. Which value did you use exactly ?
i did change it to what you said. to seconds instead but nothing did happen.
- Also tried with “h” in the end and same.
so what i did was to reset the router and redo it all again, and now it works. i got the p2 upp and running right away so something was broken in the vpn.
I suggest you to upgrade the firmware to the latest available and released a few days ago RutOS 7.5, because I see in the Changelog fixes that might be important to you:
- Fixed IPsec VPN connection problem with small lifetime values
- Fixed IPsec “Default Route” not working when Flow Offloading is enabled
Then, repeat troubleshooting to find if something changed, if the problem still persists try to change IKE_SA Lifetime values to the [seconds] not to short values and not too big
(usually with Fortigate’s I’m using → Lifetime Definition (IPSec SA renegotiation) as 28800 seconds)
This topic was automatically closed after 15 days. New replies are no longer allowed.