IPSEC VPN between 2 RUT951 not connecting

Hello,

I’m using two 4G RUT951 routers.

You’ll find below configurations of both ipsec and the result of ipsec statusall just after.
What I remarked is that when Remote endpoint (in GUI) or gateway (in CLI) is defined on the router, IPSEC won’t work for this router. But if the other router let this parameter empty for GUI or not set for CLI, IPSEC tunnel works on one way only. This is the part I don’t understand and I hope someone here will help. Sensitive data have been replaced by “X”.

Router 1 : 192.168.1.254/24 :

root@router1:~# cat /etc/config/ipsec

config ipsec
        option rtinstall_enabled '1'
        option make_before_break '0'

config remote 'r1_alpha'
        list transport 'r1_alpha_c'
        option multiple_secrets '0'
        option remote_identifier '192.168.2.254'
        option authentication_method 'psk'
        option pre_shared_key '0x6970736563'
        option local_identifier '192.168.1.254'
        option force_crypto_proposal '1'
        list crypto_proposal 'r1_alpha_ph1_1'
        option enabled '1'
        option gateway 'XXX.XXX.XXX.XXX' # <============== ?

config connection 'r1_alpha_c'
        option remote_firewall '0'
        option defaultroute '0'
        list crypto_proposal 'r1_alpha_ph2_1'
        option mode 'start'
        option forceencaps '0'
        option comp_mode '0'
        option type 'tunnel'
        option force_crypto_proposal '1'
        option dpd '0'
        option keyexchange 'ikev2'
        option flush '0'
        option local_firewall '0'
        option aggressive '0'
        list local_subnet '192.168.1.0/24'
        list remote_subnet '192.168.2.0/24'

config proposal 'r1_alpha_ph1_1'
        option encryption_algorithm 'aes256'
        option hash_algorithm 'sha256'
        option dh_group 'modp2048'

config proposal 'r1_alpha_ph2_1'
        option encryption_algorithm 'aes256'
        option hash_algorithm 'sha256'
        option dh_group 'modp2048'

Router 2 : 192.168.2.254/24` :
In the above configuration, VPN works from router 2 → 1 because no remote endpoint (gateway) have been set in the router 2. If I put the public IP address or FQDN of router 1, it won’t work anymore…

root@router2:~# cat /etc/config/ipsec

config ipsec
        option rtinstall_enabled '1'
        option make_before_break '0'

config remote 'r1_alpha'
        list transport 'r1_alpha_c'
        option multiple_secrets '0'
        option remote_identifier '192.168.1.254'
        option authentication_method 'psk'
        option pre_shared_key '0x6970736563'
        option local_identifier '192.168.2.254'
        list crypto_proposal 'r1_alpha_ph1_1'
        option force_crypto_proposal '1'
        option enabled '1'

config connection 'r1_alpha_c'
        option remote_firewall '0'
        option defaultroute '0'
        option mode 'start'
        option forceencaps '0'
        option comp_mode '0'
        option type 'tunnel'
        option dpd '0'
        option keyexchange 'ikev2'
        option flush '0'
        option aggressive '0'
        list crypto_proposal 'r1_alpha_ph2_1'
        option force_crypto_proposal '1'
        option local_firewall '0'
        list local_subnet '192.168.2.0/24'
        list remote_subnet '192.168.1.0/24'

config proposal 'r1_alpha_ph1_1'
        option encryption_algorithm 'aes256'
        option hash_algorithm 'sha256'
        option dh_group 'modp2048'

config proposal 'r1_alpha_ph2_1'
        option encryption_algorithm 'aes256'
        option hash_algorithm 'sha256'
        option dh_group 'modp2048'

Now let see what’s happen on each router.

root@router1:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.6, Linux 5.15.149, mips):
  uptime: 56 minutes, since Jul 05 15:19:49 2024
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp pem openssl pkcs8 xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
  192.168.1.254
  fd64:a098:3b0e::1
  10.84.XXX.XXX
Connections:
r1_alpha-r1_alpha_c:  %any...193.YYY.YYY.YYY  IKEv2
r1_alpha-r1_alpha_c:   local:  [192.168.1.254] uses pre-shared key authentication
r1_alpha-r1_alpha_c:   remote: [192.168.2.254] uses pre-shared key authentication
r1_alpha-r1_alpha_c:   child:  192.168.1.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (0 up, 1 connecting):
r1_alpha-r1_alpha_c[23]: CONNECTING, 10.84.XXX.XXX[%any]...193.YYY.YYY.YYY[%any]
r1_alpha-r1_alpha_c[23]: IKEv2 SPIs: c633152a7a09babe_i* 0000000000000000_r
r1_alpha-r1_alpha_c[23]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
root@RUT951:~# ipsec status
Security Associations (0 up, 1 connecting):
r1_alpha-r1_alpha_c[23]: CONNECTING, 10.84.XXX.XXX[%any]...193.YYY.YYY.YYY[%any]
root@router2:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.6, Linux 5.15.149, mips):
  uptime: 39 minutes, since Jul 05 15:55:29 2024
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp pem openssl pkcs8 xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
  192.168.2.254
  fdd4:f74e:9ac6::1
  10.84.XXX.XXX
Connections:
r1_alpha-r1_alpha_c:  %any...%any  IKEv2
r1_alpha-r1_alpha_c:   local:  [192.168.2.254] uses pre-shared key authentication
r1_alpha-r1_alpha_c:   remote: [192.168.1.254] uses pre-shared key authentication
r1_alpha-r1_alpha_c:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
  none

Any help would be appreciate, I’m totally stuck there …

Hello,

Thanks for reaching out!

You are trying to create a VPN tunnel between 2 routers and the IP addresses are both private.
At least one of them should have public IP.
You can find detailed information from this link.

I also recommend you to check this so you can understand the difference between public/private IP addresses deeply.

If you don’t have any public IP, I recommend you to use Zerotier which doesn’t require any public IP. You can reach detailed information from here.

Regards,
Caner

1 Like

Dear Caner,

Thanks for your message. I’m a network and systems administrator, I assure you, I saw that my 4G gateway was a class C private IP. And I am also used to the OpenWRT interface, because I myself have to home a router that is installed with OpenWRT. I think I have more of a network problem than anything else. What is strange with the default configuration of these routers is that I do have a WAN IP but yet if I do an ifstatus wan, here is what I get:

ifstatus wan
{
        "up": false,
        "pending": true,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "proto": "dhcp",
        "device": "eth0.2",
        "data": {

        }
}

On my home router, this command returns up: true

However, I have Internet (here I am connected to the router) and I also have a WAN IP distinct from the private IP 10.84.x.x provided in my last message. What do you think ?

EDIT
If I do a ip route I get :

ip route
default dev qmimux0 proto static scope link src 10.84.X.X metric 3
10.84.X.X dev qmimux0 proto static scope link metric 3
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.254

According to this post :

ip -4 addr show ${link_name} | sed -Ene 's/^.*inet ([0-9.]+)\/.*$/\1/p'
127.0.0.1
192.168.1.254
10.84.X.X

But if I’m going to this kind of websites, I got my masquerade address, which looks like :

Also, here is my WAN interfaces and view of firewall’s zones.


Kind regards

It seems I have a problem of NAT Traversal, but I can’t find in the configuration where to manage this parameter, if someone have a solution or an explanation?

Hello,

You can reach the desired pages from here and here

But there could be another issues. Can you please send the IPSec VPN tunnel’s log to me?
Please do not forget to blur the critical informations.
You can reach the logs of IPSec from here.

Kind Regards,
Caner