RUT200 vs IRZ IPSEC issue

Having issues with IPSEC tunnel over mobile network between RUT200 and IRZ (remote device, exact model unknown, have limited access).
The main problem is that tunnel is “likely” established, but there is no traffic through (even pings).
I have 2 different behaviors that happens 50/50 after reboot.
(cannot upload logs due to community rules, so in brief…)

  1. Tunnel is “likely” established ( UP on both sides, all is OK in log) but there is no traffic and pings from both sides;
  2. After a short time while phase 2 is OK, receiving:
    …detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs…
    …schedule delete of duplicate IKE_SA…
    then appearing instance 2, deleting 1, receiving “delete” for 2, and from the beginning.
    1-3 iterations and stops on:
    … IKE_SA … established between …

    … generating ID_PROT response 0 [ ID HASH ]
    … sending packet:…
    Full stop [ no 2nd phase]. Status “disconnected”. But in this case on IRZ side there is 50/50 probability to see that tunnel is UP somehow.

Experimented with lifetime (no result), “exclude IPSEC from NAT” is ON, can’t use IKEv2 due to restrictions on IRZ side, experimented with firewall (force allow forwarding for addresses used in IPSEC despite there is a “factory” rule - same).
Have very limited access to IRZ side so I have to find “workaround” here - for RUT200.

Still cannot find a rational solution.
Looking forward to receive some help.
Thanks in advance.


Beware, the unit is in seconds not hours.

1 Like

Yup, I know (and there are also *h, *m etc). NP with that. The goal in that experiment was to prevent “racing” in reauth/rekeying in case 2 using different lifetimes. But no luck. That was not the cause.

Finally I’ve got to the IRZ, against all odds.
The problem was on it’s side (wrong network/mask, so there were more than 1 node to establish the same tunnel).
That explains what I was seeing in logs (+1 to Teltonika btw).

Hope that it would useful for someone.

This topic was automatically closed after 15 days. New replies are no longer allowed.