Hello there,
I have a problem with a IPsec Tunnel which does not start.
After updating a RUTX11 in a mobile (4G) application from FW 07.06.3 to 07.11.3 there is the problem, that the IPSec Tunnel does not start any more. It can be started only if the IPsec-Configuration is disabled and enabled via WebUI or restarted via CLI.
With FW 07.06.3 there was no problem. IPsec Tunnel was always on. To keep IPsec Connection always alive, DPD was enabled with DPDDelay of 30.
The IPsec Tunnel terminates at a Bintec be_ip plus router at the other side.
To start the IPsec Tunnel (with FW 07.11.3) - at least at Startup an Reset - I copied a User Script which was provided in this forum to start IPSec after a Mobile Connection is established:
#!/bin/sh
sleep 60
if ifstatus mob1s1a1 | grep -q ‘“up”: true’; then
/etc/init.d/swanctl restart
fi
This works properly at startup but after an interruption of Mobile Connection e.g. the IPsec
does not start again. Dead Peer Detection seems not work in this case.
Can anybody help to get a stabil always on IPsec Connection, which starts after Poweron an restarts automatically after things like interruption of WAN Connection?
Thank You.
I have updated the RUTX11 to FW 11.12 and also I deleted the user script (“Restart IPsec” I mentioned in 1st post).
Unfortunately the Problem still occurs.
Even at Startup (power on) or reset the IPsec Tunnel does not start.
After deactivating and activating the the IPsec Tunnel by WebUI the Tunnel is established and working properly.
I saved logging of not working and successful establishing case.
Last log lines of working case:
984 Wed Jan 22 20:16:18 2025 daemon.info ipsec: 10[CFG] <ASKONAv2|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
985 Wed Jan 22 20:16:18 2025 daemon.info ipsec: 10[CFG] <ASKONAv2|1> selecting traffic selectors for us:
986 Wed Jan 22 20:16:18 2025 daemon.info ipsec: 10[CFG] <ASKONAv2|1> config: 192.168.32.0/24, received: 192.168.32.0/24 => match: 192.168.32.0/24
987 Wed Jan 22 20:16:18 2025 daemon.info ipsec: 10[CFG] <ASKONAv2|1> selecting traffic selectors for other:
988 Wed Jan 22 20:16:18 2025 daemon.info ipsec: 10[CFG] <ASKONAv2|1> config: 192.168.0.0/20, received: 192.168.0.0/20 => match: 192.168.0.0/20
989 Wed Jan 22 20:16:18 2025 daemon.info ipsec: 10[IKE] <ASKONAv2|1> CHILD_SA ASKONAv2_c{1} established with SPIs cxxxxxxe_i 1xxxxxxc_o and TS 192.168.32.0/24 === 192.168.0.0/20
Last log lines of not working case:
739 Wed Jan 22 20:10:42 2025 daemon.info ipsec: 16[IKE] <ASKONAv2|2> establishing CHILD_SA ASKONAv2_c{1}
740 Wed Jan 22 20:10:42 2025 daemon.info ipsec: 16[ENC] <ASKONAv2|2> generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
741 Wed Jan 22 20:10:42 2025 daemon.info ipsec: 16[NET] <ASKONAv2|2> sending packet: from 37.xxx.xxx.204[4500] to 91.xxx.xxx.251[4500] (576 bytes)
742 Wed Jan 22 20:10:42 2025 daemon.info ipsec: 08[NET] <ASKONAv2|2> received packet: from 91.xxx.xxx.251[4500] to 37.xxx.xxx.204[4500] (96 bytes)
743 Wed Jan 22 20:10:42 2025 daemon.info ipsec: 08[ENC] <ASKONAv2|2> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
744 Wed Jan 22 20:10:42 2025 daemon.info ipsec: 08[IKE] <ASKONAv2|2> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
745 Wed Jan 22 20:10:42 2025 daemon.info ipsec: 08[CFG] <ASKONAv2|2> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ
746 Wed Jan 22 20:10:42 2025 daemon.info ipsec: 08[IKE] <ASKONAv2|2> failed to establish CHILD_SA, keeping IKE_SA
771 Wed Jan 22 20:11:12 2025 daemon.info ipsec: 09[IKE] <ASKONAv2|2> sending DPD request
772 Wed Jan 22 20:11:12 2025 daemon.info ipsec: 09[ENC] <ASKONAv2|2> generating INFORMATIONAL request 3
773 Wed Jan 22 20:11:12 2025 daemon.info ipsec: 09[NET] <ASKONAv2|2> sending packet: from 37.xxx.xxx.204[4500] to 91.xxx.xxx.251[4500] (96 bytes)
774 Wed Jan 22 20:11:12 2025 daemon.info ipsec: 14[NET] <ASKONAv2|2> received packet: from 91.xxx.xxx.251[4500] to 37.xxx.xxx.204[4500] (96 bytes)
775 Wed Jan 22 20:11:12 2025 daemon.info ipsec: 14[ENC] <ASKONAv2|2> parsed INFORMATIONAL response 3
If this complete logs are helpful for you, I can send it to you (by PM?).