RUTX50 - IPSEC VPN DAIP with certificate

Hi there community,

We’ve been trying for days to make following configuration to work:

Creating a VPN Ipsec connection using certificate:

  1. RUTX50 with dynamic IP
  2. CheckPoint Firewall

Generated self-signed certificates (CA and server side), imported it to the RUTX50 and Checkpoint firewall (signed both sides).


Now, when I start the vpn, the connection is not getting finished:

Thu Aug 22 08:39:10 2024 daemon.info ipsec: 11[IKE] <CHKP-CHKP_c|424> initiating IKE_SA CHKP-CHKP_c[424] to xxx.xx.xx.xx
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 11[ENC] <CHKP-CHKP_c|424> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 11[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (884 bytes)
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[NET] <CHKP-CHKP_c|424> received packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (228 bytes)
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[ENC] <CHKP-CHKP_c|424> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[CFG] <CHKP-CHKP_c|424> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> sending cert request for “CN=daipvpn”
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> authentication of ‘CN=rutx50_test1’ (myself) with RSA signature successful
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> establishing CHILD_SA CHKP-CHKP_c{1271}
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[ENC] <CHKP-CHKP_c|424> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[4500] to xxx.xx.xx.xx[4500] (672 bytes)
Thu Aug 22 08:39:14 2024 daemon.info ipsec: 14[IKE] <CHKP-CHKP_c|424> retransmit 1 of request with message ID 1
Thu Aug 22 08:39:14 2024 daemon.info ipsec: 14[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[4500] to xxx.xx.xx.xx[4500] (672 bytes)
Thu Aug 22 08:39:22 2024 daemon.info ipsec: 08[IKE] <CHKP-CHKP_c|424> retransmit 2 of request with message ID 1
Thu Aug 22 08:39:22 2024 daemon.info ipsec: 08[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[4500] to xxx.xx.xx.xx[4500] (672 bytes)
Thu Aug 22 08:39:34 2024 daemon.info ipsec: 05[IKE] <CHKP-CHKP_c|424> retransmit 3 of request with message ID 1
Thu Aug 22 08:39:34 2024 daemon.info ipsec: 05[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[4500] to xxx.xx.xx.xx[4500] (672 bytes)
Thu Aug 22 08:39:58 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> giving up after 3 retransmits
Thu Aug 22 08:39:58 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> peer not responding, trying again (3/3)

We could imagine that something is wrong on the CheckPoint firewall but, in the logs I can see the following:

[iked 29652 4071057408]@sw-fw002[22 Aug 9:01:42][ikev2] ikeAuthExchange_r::expectedPayloadTypesExist: Cannot authenticate peer: RSA sig is configured but no certificate has been sent.

When I look at a log of strongswan example, I see this:

Mar 19 11:28:53 moon charon-systemd: 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
Mar 19 11:28:53 moon charon-systemd: 09[IKE] received cert request for “C=CH, O=strongSwan Project, CN=strongSwan Root CA”
Mar 19 11:28:53 moon charon-systemd: 09[IKE] sending cert request for “C=CH, O=strongSwan Project, CN=strongSwan Root CA”
Mar 19 11:28:53 moon charon-systemd: 09[IKE] authentication of ‘moon.strongswan.org’ (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Mar 19 11:28:53 moon charon-systemd: 09[IKE] sending end entity cert “C=CH, O=strongSwan Project, CN=moon.strongswan.org
Mar 19 11:28:53 moon charon-systemd: 09[IKE] establishing CHILD_SA net-net{1}

Does anybody have good experience in such configuration?

I have to mention, when I configure the VPN Ipsec with shared secret, it is working. But of course, not usable in our case, as our IP is dynamic.

Help would be much apreciated.

Thanks in advance.

I’m able to reproduce this problem using a strongswan IKE service on a Debian Linux which gets an IP via DHCP.

The Check Point logs say: “Cannot authenticate peer: RSA sig is configured but no certificate has been sent.”

The Check Point end seems to require a CERT Payload in the IKEv2 Authentication phase.

In strongswan this can be corrected using the connection option “send_cert = always”

connections {
conn_name {
send_cert = always

Unfortunately, I don’t know how to make this modification in the Teltonika implementation.

Thank you for your testing Jon.

I’ve tried to add this option in the ipsec configuration, but without luck.

uci set ipsec.CHKP_c.custom='send_cert=always'

root@RUTX50:~# cat /etc/config/ipsec

config ipsec
        option rtinstall_enabled '1'
        option make_before_break '0'

config remote 'CHKP'
        list transport 'CHKP_c'
        option multiple_secrets '0'
        option gateway 'xx.xx.xx.xx'
        option force_crypto_proposal '0'
        list crypto_proposal 'CHKP_ph1_1'
        option authentication_method 'x509'
        option cacert '/etc/vuci-uploads/cbid.ipsec.CHKP.cacertdaipvpncacert.pem'
        option rightcert '/etc/vuci-uploads/cbid.ipsec.CHKP.rightcertswfwdaipvpn.pem'
        option key '/etc/vuci-uploads/cbid.ipsec.CHKP.keyrutx50_test1.key.pem'
        option local_identifier 'CN=XXXX'
        option remote_identifier 'CN=XXXX'
        option leftcert '/etc/vuci-uploads/cbid.ipsec.CHKP.leftcertrutx50_test1.cert.pem'
        option enabled '1'

config connection 'CHKP_c'
        option send_cert 'always'
        option ikelifetime '8h'
        option defaultroute '0'
        option lifetime '1h'
        option type 'tunnel'
        option force_crypto_proposal '0'
        option flush '0'
        option aggressive '0'
        option mode 'start'
        option keyexchange 'ikev2'
        option inactivity '3600'
        option forceencaps '1'
        option remote_firewall '1'
        option local_firewall '1'
        option dpd '1'
        option dpdaction 'restart'
        option comp_mode '0'
        list crypto_proposal 'CHKP_ph2_1'
        list local_subnet 'xx.xx.xx.xx/24'
        list remote_subnet 'xx.xx.xx.xx/24'
        list remote_subnet 'xx.xx.xx.xx/24'
        list remote_subnet 'xx.xx.xx.xx/24'
        list custom 'send_cert=always'

config proposal 'CHKP_ph1_1'
        option encryption_algorithm 'aes256'
        option hash_algorithm 'sha512'
        option dh_group 'ecp384'

config proposal 'CHKP_ph2_1'
        option encryption_algorithm 'aes256'
        option hash_algorithm 'sha512'
        option dh_group 'ecp384'

Help for this configuration would be apreciated.

I haven’t a clue but from looking at the config notation, maybe option send_cert ‘0’ or option send_cert ‘1’ might be worth a try … what’s to lose.

Thank you Mike for your suggestion. Unfortunately, without result.

Some help from the R&D Team would be appreciated.

This topic was automatically closed after 15 days. New replies are no longer allowed.