Hello,
I’m new to Teltonika devices and I’m having trouble establishing a site-to-site VPN between a TRB140 and a WatchGuard firewall.
The TRB140 has a Vodafone SIM with 4G internet, and I have created an IPSec VPN.
On the WatchGuard, I am identifying the Teltonika device with a domain name (test.vdns.it).
On the TRB140, the remote endpoint is set to the public IP of the WatchGuard.
The local subnet and remote subnet for the tunnel are also set correctly.
Key exchange on both devices is set to IKEv2.
Phase 1: SHA1 – AES 128 – DH14
Phase 2: SHA1 – AES 128 – DH14
The pre-shared key is set correctly and is the same on both ends.
Logs on the Watchguard:
2024-11-20 09:00:01 iked (194.156.150.39<->176.243.49.209)IKEv2 IKE_AUTH exchange from 176.243.49.209:500 to 194.156.150.39:500 failed. Gateway-Endpoint=‘WG Default IKEv2 Gateway’. Reason=Gateway endpoint with matching ID was not found.
*** WG Diagnostic Report for Gateway “Teltonika” ***
Created On: Wed Nov 20 09:04:59 2024
[Conclusion]
Unable to find an established Phase 1 Security Association (SA) forBOVPN Gateway(Teltonika)'s endpoint #1
Recommendation: Review VPN log messages to identify the reason.
[Gateway Summary]
Gateway “Teltonika” contains “1” gateway endpoint(s). IKE Version is IKEv2.
Gateway Endpoint #1 (name “Teltonika”) Enabled
PFS: Disabled AlwaysUp: Disabled
DPD: Disabled Keepalive: Enabled
Local ID<->Remote ID: {IP_ADDR(194.156.150.39) ↔ DOMAIN_NAME(test.vdns.it)}
Local GW_IP<->Remote GW_IP: {194.156.150.39 ↔ 176.243.49.209}
Outgoing Interface: eth0 (ifIndex=20)
ifMark=0x10000
linkStatus=0 (0:unknown, 1:down, 2:up)
[Tunnel Summary]
“1” tunnel(s) are found using the previous gateway
Name: "Teltonika_Tunnel" Enabled
PFS: "Enabled" DH-Group: "14"
Number of Proposals: "1"
Proposal "ESP-AES128-SHA1"
ESP:
EncryptAlgo: "AES" KeyLen: "16(bytes)"
AuthAlgo: "SHA"
LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "1"
#1
Direction: "BOTH"
"173.31.150.0/24(1-1NAT Invalid Address Type(0))<->10.24.145.0/24"
Stored user messages:
Nov 20 09:01:20 2024 ERROR 0x021a0016 Received N(AUTHENTICATION_FAILED) message.
[Run-time Info (gateway IKE_SA)]
[Run-time Info (tunnel IPSEC_SA)]
“0” IPSEC SA(s) are found under tunnel “Teltonika_Tunnel”
[Run-time Info (tunnel IPSEC_SP)]
“1” IPSEC SP(s) are found under tunnel “Teltonika_Tunnel”
#1
Tunnel Endpoint: “194.156.150.39->176.243.49.209”
Tunnel Selector: 10.24.145.0/24 → 10.24.145.0/24 Proto: ANY
Created On: Wed Nov 20 09:01:19 2024
Gateway Name: “Teltonika”
Tunnel Name: “Teltonika_Tunnel”
[Address Pairs in Firewalld]
Address Pairs for tunnel “Teltonika_Tunnel”
Direction: IN
10.24.145.0/24 ↔ 10.24.145.0/24
Direction: BOTH
173.31.150.0/24 ↔ 10.24.145.0/24
[Policy checker result]
Tunnel name: Teltonika_Tunnel
#1 tunnel route 173.31.150.0/24(1-1NAT Invalid Address Type(0))<->10.24.145.0/24
No policy checker results for this tunnel(no P2SA found or some other error)
[Related Logs]
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)******** RECV an IKE packet at 194.156.150.39:500(socket=13 ifIndex=20) from Peer 176.243.49.209:500 ********
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)Received IKEv2 “IKE_SA_INIT response” message with message-ID:0 length:448 SPI[i=1db8d6f736bd74c6 r=d41fae91754dc85e]
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)“IKE_SA_INIT response” message has 7 payloads [ SA(sz=48) KE(sz=264) NONCE(sz=36) N(sz=28) N(sz=28) N(sz=8) N(sz=8)]
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)Got IKE policy ‘Teltonika’ from ikeSA(0x104769e8 id:00000000 state:‘SA_INIT_I’)
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)dispatch the received IKE_SA_INIT response message - IkeSA(0x104769e8)'s state=SA_INIT_I
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)The peer is NOT behind NAT
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)The local is NOT behind NAT
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)non-supported notify type: 16404(N(MULTIPLE_AUTH_SUPPORTED)), ignore it
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:128
<158>Nov 20 09:04:39 iked[2259]: (194.156.150.39<->176.243.49.209)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA1_96/PRF_HMAC_SHA1/DH_GROUP14
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)stop the retry object(0x104787f8) for the previous request message(name=IKE_SA_INIT request, msgId=0)
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)Starting IKE_AUTH exchange. IKE policy:Teltonika opCode:4
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)IKE policy ‘Teltonika’ use ‘ike2_shared_action’ IKE action. update its auth method
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)peer supports childless, do ikeConnectP1
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)‘IKE_AUTH request’ message created successfully. length:124
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)Sent out IKE_AUTH request message (msgId=1) from 194.156.150.39:500 to 176.243.49.209:500 for ‘Teltonika’ gateway endpoint successfully.
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)ikeSA(0x104769e8) state change: SA_INIT_I ==> IKE_AUTH_I, reason: “IKE_AUTH request is Out”
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)ikeSA(0x104769e8)'s msgIdSend is updated: 1 → 2
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)******** RECV an IKE packet at 194.156.150.39:500(socket=13 ifIndex=20) from Peer 176.243.49.209:500 ********
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)Received IKEv2 “IKE_AUTH response” message with message-ID:1 length:76 SPI[i=1db8d6f736bd74c6 r=d41fae91754dc85e]
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)“IKE_AUTH response” message has 1 payloads [ ENCR(sz=48)]
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)Got IKE policy ‘Teltonika’ from ikeSA(0x104769e8 id:00000000 state:‘IKE_AUTH_I’)
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)“IKE_AUTH response” message has 1 payloads [ N(sz=8)]
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)IKEv2 “IKE_AUTH response”'s decrypted message contains 1 payloads [ N(sz=8)]
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)dispatch the received IKE_AUTH response message - IkeSA(0x104769e8)'s state=IKE_AUTH_I
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)ikeSA(0x104769e8) will be terminated - rc=5
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)stop the retry object(0x104787f8) for the previous request message(name=IKE_AUTH request, msgId=1)
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)Deleting ikeSA(obj=0x104769e8) state=IKE_AUTH_I actions:0x00000000 gateway-endpoint=Teltonika, caller=ike2_ProcessData, reason=“Unknown”
<158>Nov 20 09:04:40 iked[2259]: (194.156.150.39<->176.243.49.209)Free ikeSA(obj=0x104769e8 state=IKESA_DELETED)
Logs on Teltonika:
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 12[IKE] <Firebox-Firebox_c|155> initiating IKE_SA Firebox-Firebox_c[155] to 194.156.150.39
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 12[ENC] <Firebox-Firebox_c|155> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 12[NET] <Firebox-Firebox_c|155> sending packet: from 176.243.49.209[500] to 194.156.150.39[500] (968 bytes)
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[NET] <Firebox-Firebox_c|155> received packet: from 194.156.150.39[500] to 176.243.49.209[500] (484 bytes)
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[ENC] <Firebox-Firebox_c|155> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[ENC] <Firebox-Firebox_c|155> received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:78:4d:53:42:43:54:6a:30:32:4e:6a:59:7a:4f:54:49:3d
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[CFG] <Firebox-Firebox_c|155> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[IKE] <Firebox-Firebox_c|155> authentication of ‘0.0.0.0/0,::/0’ (myself) with pre-shared key
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[IKE] <Firebox-Firebox_c|155> establishing CHILD_SA Firebox-Firebox_c{150}
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[ENC] <Firebox-Firebox_c|155> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[NET] <Firebox-Firebox_c|155> sending packet: from 176.243.49.209[4500] to 194.156.150.39[4500] (428 bytes)
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 15[NET] <Firebox-Firebox_c|155> received packet: from 194.156.150.39[4500] to 176.243.49.209[4500] (76 bytes)
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 15[ENC] <Firebox-Firebox_c|155> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 15[IKE] <Firebox-Firebox_c|155> received AUTHENTICATION_FAILED notify errorWed Nov 20 09:02:31 2024 daemon.info ipsec: 12[IKE] <Firebox-Firebox_c|155> initiating IKE_SA Firebox-Firebox_c[155] to 194.156.150.39
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 12[ENC] <Firebox-Firebox_c|155> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 12[NET] <Firebox-Firebox_c|155> sending packet: from 176.243.49.209[500] to 194.156.150.39[500] (968 bytes)
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[NET] <Firebox-Firebox_c|155> received packet: from 194.156.150.39[500] to 176.243.49.209[500] (484 bytes)
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[ENC] <Firebox-Firebox_c|155> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[ENC] <Firebox-Firebox_c|155> received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:78:4d:53:42:43:54:6a:30:32:4e:6a:59:7a:4f:54:49:3d
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[CFG] <Firebox-Firebox_c|155> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[IKE] <Firebox-Firebox_c|155> authentication of ‘0.0.0.0/0,::/0’ (myself) with pre-shared key
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[IKE] <Firebox-Firebox_c|155> establishing CHILD_SA Firebox-Firebox_c{150}
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[ENC] <Firebox-Firebox_c|155> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 07[NET] <Firebox-Firebox_c|155> sending packet: from 176.243.49.209[4500] to 194.156.150.39[4500] (428 bytes)
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 15[NET] <Firebox-Firebox_c|155> received packet: from 194.156.150.39[4500] to 176.243.49.209[4500] (76 bytes)
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 15[ENC] <Firebox-Firebox_c|155> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Wed Nov 20 09:02:31 2024 daemon.info ipsec: 15[IKE] <Firebox-Firebox_c|155> received AUTHENTICATION_FAILED notify error
Hello,
Apologies for the delayed response.
From the screenshot, it appears that your device is running on an older firmware version. I recommend upgrading your device to the latest version, 7.11.3. You can download it here: TRB140 Firmware Downloads.
Based on the logs you provided, it seems that there may be an issue with authentication. Please check that the encryption and authentication settings are identical on both devices to ensure compatibility.
Best regards,
Hi…
About
Sometimes… I have an issues with Local ID and Remote Id between IPSec solutions vendors…
To solve this… I use the LAN ip address of each side to solve this.
Sample… (another vendor)
192.168.1.1 (teltonika device)
192.168.7.1 (another vendor device)
and do the opposite configuration at teltonika.
I know… not the best solution… but works.