IPSEC VPN configuration not visible in Gui after upgrade to 07.05.3

I’ve upgrade my Rutx50 from version RUTX_R_00.07.04.5 to RUTX_R_00.07.05.3 but I can no longer see the VPN (IPSEC) configuration from the GUI.

The “ipsec status” command from CLI shows that the tunnels are still up/running. From a network point of view they are working correctly, so there is only a display issue in the GUI. The “uci show ipsec” shows all the correct information as well.

image

Here are the UCI settings from the running (upgraded) device:

ipsec.@ipsec[0]=ipsec
ipsec.@ipsec[0].rtinstall_enabled=‘1’
ipsec.@ipsec[0].make_before_break=‘0’
ipsec.CustomerX=remote
ipsec.CustomerX.crypto_proposal=‘CustomerX_ph1’
ipsec.CustomerX.enabled=‘1’
ipsec.CustomerX._multiple_secrets=‘0’
ipsec.CustomerX.force_crypto_proposal=‘1’
ipsec.CustomerX.gateway=‘vpnmgmt.CustomerX.nl’
ipsec.CustomerX.authentication_method=‘psk’
ipsec.CustomerX.pre_shared_key=‘xxxxxxxxxxxxxx’
ipsec.CustomerX.local_identifier=‘XXX-RTR01’
ipsec.CustomerX.remote_identifier=‘XXX-FW02’
ipsec.CustomerX.tunnel=‘CustomerX_c’
ipsec.CustomerX_c=connection
ipsec.CustomerX_c.crypto_proposal=‘CustomerX_ph2’
ipsec.CustomerX_c.defaultroute=‘0’
ipsec.CustomerX_c.aggressive=‘no’
ipsec.CustomerX_c.forceencaps=‘no’
ipsec.CustomerX_c.local_firewall=‘yes’
ipsec.CustomerX_c.remote_firewall=‘yes’
ipsec.CustomerX_c.comp_mode=‘1’
ipsec.CustomerX_c._dpd=‘1’
ipsec.CustomerX_c.force_crypto_proposal=‘1’
ipsec.CustomerX_c.mode=‘start’
ipsec.CustomerX_c.type=‘tunnel’
ipsec.CustomerX_c.lifetime=‘12h’
ipsec.CustomerX_c.ikelifetime=‘24h’
ipsec.CustomerX_c.local_subnet=‘10.101.128.0/25’ ‘10.100.128.254/32’
ipsec.CustomerX_c.remote_subnet=‘10.20.0.0/16’ ‘192.168.222.0/24’
ipsec.CustomerX_c.keyexchange=‘ikev2’
ipsec.CustomerX_c.dpdaction=‘restart’
ipsec.CustomerX_ph1=proposal
ipsec.CustomerX_ph1.encryption_algorithm=‘aes256’
ipsec.CustomerX_ph1.hash_algorithm=‘sha256’
ipsec.CustomerX_ph1.dh_group=‘modp2048’
ipsec.CustomerX_ph2=proposal
ipsec.CustomerX_ph2.encryption_algorithm=‘aes256’
ipsec.CustomerX_ph2.hash_algorithm=‘sha256’
ipsec.CustomerX_ph2.dh_group=‘modp2048’

Here are the UCI commands how the VPN was configured initially (the template we use):

uci set ipsec.@ipsec[0].rtinstall_enabled=1

uci set ipsec.CustomerX=remote
uci set ipsec.CustomerX.crypto_proposal=‘CustomerX_ph1’
uci set ipsec.CustomerX.enabled=‘1’
uci set ipsec.CustomerX._multiple_secrets=‘0’
uci set ipsec.CustomerX.force_crypto_proposal=‘1’
uci set ipsec.CustomerX.gateway=‘vpnmgmt.CustomerX.nl’
uci set ipsec.CustomerX.authentication_method=‘psk’
uci set ipsec.CustomerX.pre_shared_key=‘XXXXXXXXXXXX’
uci set ipsec.CustomerX.local_identifier=‘XXX-RTR01’
uci set ipsec.CustomerX.remote_identifier=‘XXX-FW02’
uci add_list ipsec.CustomerX.tunnel=‘CustomerX_c’

uci set ipsec.CustomerX_c=connection
uci set ipsec.CustomerX_c.crypto_proposal=‘CustomerX_ph2’
uci set ipsec.CustomerX_c.defaultroute=‘0’
uci set ipsec.CustomerX_c.aggressive=‘no’
uci set ipsec.CustomerX_c.forceencaps=‘no’
uci set ipsec.CustomerX_c.local_firewall=‘yes’
uci set ipsec.CustomerX_c.remote_firewall=‘yes’
uci set ipsec.CustomerX_c.comp_mode=‘1’
uci set ipsec.CustomerX_c._dpd=‘1’
uci set ipsec.CustomerX_c.force_crypto_proposal=‘1’
uci set ipsec.CustomerX_c.mode=‘start’
uci set ipsec.CustomerX_c.type=‘tunnel’
uci set ipsec.CustomerX_c.lifetime=‘12h’
uci set ipsec.CustomerX_c.ikelifetime=‘24h’
uci add_list ipsec.CustomerX_c.local_subnet=‘10.101.128.0/25’
uci add_list ipsec.CustomerX_c.local_subnet=‘10.100.128.254/32’
uci add_list ipsec.CustomerX_c.remote_subnet=‘10.20.0.0/16’
uci add_list ipsec.CustomerX_c.remote_subnet=‘192.168.222.0/24’
uci set ipsec.CustomerX_c.keyexchange=‘ikev2’
uci set ipsec.CustomerX_c.dpdaction=‘restart’

uci set ipsec.CustomerX_ph1=proposal
uci set ipsec.CustomerX_ph1.encryption_algorithm=‘aes256’
uci set ipsec.CustomerX_ph1.hash_algorithm=‘sha256’
uci set ipsec.CustomerX_ph1.dh_group=‘modp2048’

uci set ipsec.CustomerX_ph2=proposal
uci set ipsec.CustomerX_ph2.encryption_algorithm=‘aes256’
uci set ipsec.CustomerX_ph2.hash_algorithm=‘sha256’
uci set ipsec.CustomerX_ph2.dh_group='modp2048’h

I don’t know the prior firmware versions. But his configuration is used for years already, so we’ve seen quite a few.

My previous topic was closed, so I had to create a new one.

Hi, it looks like some values have been changed from string to boolean type in configuration and also some options were set as list type. Try to run the following UCI commands and then restart IPsec service using /etc/init.d/ipsec restart

UCI commands:

uci set ipsec.@ipsec[0].rtinstall_enabled=1

uci set ipsec.CustomerX=remote
uci add_list ipsec.CustomerX.crypto_proposal='CustomerX_ph1'
uci set ipsec.CustomerX.enabled='0'
uci set ipsec.CustomerX._multiple_secrets='0'
uci set ipsec.CustomerX.force_crypto_proposal='1'
uci set ipsec.CustomerX.gateway='vpnmgmt.CustomerX.nl'
uci set ipsec.CustomerX.authentication_method='psk'
uci set ipsec.CustomerX.pre_shared_key='XXXXXXXXXXXXXXXXX'
uci set ipsec.CustomerX.local_identifier='XXX-RTR01'
uci set ipsec.CustomerX.remote_identifier='XXX-FW02'
uci add_list ipsec.CustomerX.tunnel='CustomerX_c'

uci set ipsec.CustomerX_c=connection
uci add_list ipsec.CustomerX_c.crypto_proposal='CustomerX_ph2'
uci set ipsec.CustomerX_c.defaultroute='0'
uci set ipsec.CustomerX_c.aggressive='0'
uci set ipsec.CustomerX_c.forceencaps='0'
uci set ipsec.CustomerX_c.local_firewall='0'
uci set ipsec.CustomerX_c.remote_firewall='0'
uci set ipsec.CustomerX_c.comp_mode='1'
uci set ipsec.CustomerX_c._dpd='1'
uci set ipsec.CustomerX_c.force_crypto_proposal='1'
uci set ipsec.CustomerX_c.mode='start'
uci set ipsec.CustomerX_c.type='tunnel'
uci set ipsec.CustomerX_c.lifetime='12h'
uci set ipsec.CustomerX_c.ikelifetime='24h'
uci add_list ipsec.CustomerX_c.local_subnet='10.101.128.0/25'
uci add_list ipsec.CustomerX_c.local_subnet='10.100.128.254/32'
uci add_list ipsec.CustomerX_c.remote_subnet='10.20.0.0/16'
uci add_list ipsec.CustomerX_c.remote_subnet='192.168.222.0/24'
uci set ipsec.CustomerX_c.keyexchange='ikev2'
uci set ipsec.CustomerX_c.dpdaction='restart'
uci set ipsec.CustomerX_c.flush='0'

uci set ipsec.CustomerX_ph1=proposal
uci set ipsec.CustomerX_ph1.encryption_algorithm='aes256'
uci set ipsec.CustomerX_ph1.hash_algorithm='sha256'
uci set ipsec.CustomerX_ph1.dh_group='modp2048'

uci set ipsec.CustomerX_ph2=proposal
uci set ipsec.CustomerX_ph2.encryption_algorithm='aes256'
uci set ipsec.CustomerX_ph2.hash_algorithm='sha256'
uci set ipsec.CustomerX_ph2.dh_group='modp2048'

uci commit

You can throw this newer variant of UCI commands into text compare utility (notepad or something like this to see the exact changes.

P.S. if anything goes wrong, you may start over by copying base IPsec file with minimal config from ROM using this command:
cp /rom/etc/config/ipsec /etc/config/ipsec

Do note that this action will nuke the entire IPsec config file, so don’t use it if you want to preserve at least some part of IPsec config file.

EDIT: forgot to mention - it’s best to run these commands without any pre-existing IPsec configuration, just to be sure that no conflicting config will occur.

1 Like

I removed the old VPN config, changed my template with the new booleans and add_list options, applied it, and it worked. Should the config not have been converted to the new options to be compatible with upgrades? Thanks!

This topic was automatically closed after 15 days. New replies are no longer allowed.