Closed tomasp-xyz closed 1 year ago
This is a very simple configuration example for LAN to LAN IPsec-protected communication. Most notable information about this setup, which will be configured accordingly:
root@Teltonika-RUTX12:~# cat /var/ipsec/ipsec.conf
# generated by /etc/init.d/ipsec
version 2
conn TLTside-TLTside_c
left=%any
right=10.10.10.2
leftfirewall=yes
rightfirewall=no
ikelifetime=4h
lifetime=1h
margintime=9m
keyingtries=3
dpdaction=restart
dpddelay=10s
dpdtimeout=30s
inactivity=180
leftauth=psk
rightauth=psk
rightsubnet=10.10.35.0/24
auto=start
leftsubnet=192.168.12.0/24
aggressive=no
forceencaps=no
type=tunnel
keyexchange=ikev2
esp=aes128gcm16-sha256-ecp256!
ike=aes256-sha512-ecp521!
[admin@MTrb4011] > system/ssh address=192.168.12.1 src-address=10.10.35.1 user=root
connectHandler: Connection refused
Welcome back!
[admin@MTrb4011] >
To make this work, on Teltonika device, we need to configure extra traffic rule at Network > Firewall > Traffic rules. Add additional ports as needed, or modify them:
Rule in UCI format:
firewall.26.name='permit-IPsec-INPUT'
firewall.26.target='ACCEPT'
firewall.26.priority='15'
firewall.26.src='wan'
firewall.26.extra='-m policy --dir in --pol ipsec'
firewall.26.utc_time='0'
firewall.26.dest_port='22' '443'
firewall.26.src_ip='10.10.35.0/24'
firewall.26.dest_ip='192.168.12.1'
firewall.26.enabled='1'
Rule in /etc/config/firewall file:
config rule '26'
option proto 'tcp'
option name 'permit-IPsec-INPUT'
option target 'ACCEPT'
option priority '15'
option src 'wan'
option extra '-m policy --dir in --pol ipsec'
option utc_time '0'
list dest_port '22'
list dest_port '443'
list src_ip '10.10.35.0/24'
list dest_ip '192.168.12.1'
option enabled '1'
Test using SSH client from Mikrotik after adding the rule:
[admin@MTrb4011] > system/ssh address=192.168.12.1 src-address=10.10.35.1 user=root
password:
BusyBox v1.34.1 (2023-02-07 12:46:36 UTC) built-in shell (ash)
____ _ ___ ____
| _ \ _ _| |_ / _ \/ ___|
| |_) | | | | __| | | \___ \
| _ <| |_| | |_| |_| |___) |
|_| \_\\__,_|\__|\___/|____/
---------------------------------
Teltonika RUTX series 2023
---------------------------------
root@Teltonika-RUTX12:~#
Two ways this can happen:
In such cases, the following may be seen on Teltonika side:
Relevant logs:
Tue Feb 7 17:06:51 2023 daemon.info ipsec: 07[JOB] deleting CHILD_SA after 180 seconds of inactivity
Tue Feb 7 17:06:51 2023 daemon.info ipsec: 07[IKE] closing CHILD_SA TLTside-TLTside_c{2} with SPIs cc19a101_i (252 bytes) 0eda418c_o (252 bytes) and TS 192.168.12.0/24 === 10.10.35.0/24
Tue Feb 7 17:06:51 2023 daemon.info ipsec: 07[IKE] sending DELETE for ESP CHILD_SA with SPI cc19a101
Tue Feb 7 17:06:51 2023 daemon.info ipsec: 05[IKE] CHILD_SA closed
Tue Feb 7 17:06:52 2023 local0.notice vpn: - 10.10.10.2 10.10.35.0/24 == 10.10.10.2 -- 10.10.10.1 == 192.168.12.0/24
IPsec now has no CHILD_SA for its IKE_SA
root@Teltonika-RUTX12:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.221, armv7l):
uptime: 3 minutes, since Feb 07 17:03:38 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
10.10.10.1
192.168.12.1
fd18:1b18:76d2::1
Connections:
TLTside-TLTside_c: %any...10.10.10.2 IKEv2, dpddelay=10s
TLTside-TLTside_c: local: uses pre-shared key authentication
TLTside-TLTside_c: remote: [10.10.10.2] uses pre-shared key authentication
TLTside-TLTside_c: child: 192.168.12.0/24 === 10.10.35.0/24 TUNNEL, dpdaction=restart
Routed Connections:
TLTside-TLTside_c{1}: ROUTED, TUNNEL, reqid 1
TLTside-TLTside_c{1}: 192.168.12.0/24 === 10.10.35.0/24
Security Associations (1 up, 0 connecting):
TLTside-TLTside_c[1]: ESTABLISHED 3 minutes ago, 10.10.10.1[10.10.10.1]...10.10.10.2[10.10.10.2]
TLTside-TLTside_c[1]: IKEv2 SPIs: 7e44d7fc58612eff_i* 5eed6d2441b0c348_r, pre-shared key reauthentication in 3 hours
TLTside-TLTside_c[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
DPD checks for active IKE_SA, not CHILD_SA. It is suggested to use "Routed" mode on Teltonika device in such cases.
When interesting traffic is detected (as in - when we try to reach 10.10.35.0/24 subnet), charon will "trap" packets temporarily and will attempt to re-establish IPsec CHILD_SA. This also prevents leaking interesting traffic packets during times when rekeys are happening.
root@Teltonika-RUTX12:~# ping 10.10.35.1
PING 10.10.35.1 (10.10.35.1): 56 data bytes
Tue Feb 7 17:08:50 2023 daemon.info ipsec: 04[KNL] creating acquire job for policy 192.168.12.1/32[icmp/8] === 10.10.35.1/32[icmp/8] with reqid {1}
Tue Feb 7 17:08:50 2023 daemon.info ipsec: 06[IKE] establishing CHILD_SA TLTside-TLTside_c{3} reqid 1
Tue Feb 7 17:08:50 2023 daemon.info ipsec: 06[ENC] generating CREATE_CHILD_SA request 31 [ SA No KE TSi TSr ]
Tue Feb 7 17:08:50 2023 daemon.info ipsec: 06[NET] sending packet: from 10.10.10.1[500] to 10.10.10.2[500] (320 bytes)
Tue Feb 7 17:08:50 2023 daemon.info ipsec: 10[NET] received packet: from 10.10.10.2[500] to 10.10.10.1[500] (400 bytes)
Tue Feb 7 17:08:50 2023 daemon.info ipsec: 10[ENC] parsed CREATE_CHILD_SA response 31 [ No KE TSi TSr SA ]
Tue Feb 7 17:08:50 2023 daemon.info ipsec: 10[CFG] selected proposal: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ
Tue Feb 7 17:08:50 2023 daemon.info ipsec: 10[IKE] CHILD_SA TLTside-TLTside_c{3} established with SPIs c92165f8_i 0752b796_o and TS 192.168.12.0/24 === 10.10.35.0/24
Tue Feb 7 17:08:50 2023 local0.notice vpn: + 10.10.10.2 10.10.35.0/24 == 10.10.10.2 -- 10.10.10.1 == 192.168.12.0/24
64 bytes from 10.10.35.1: seq=1 ttl=64 time=0.981 ms
...ping continues...
This writeup is more of a note to myself, in case I forget what goes where but have to come back to it at some point. Additional tests probably will not be performed after each config example is added here, although I may revisit this issue at some point in time to provide more information on specific matters
To save time and preserve relatively valuable information for future use, a few IPsec configuration examples shall be provided in this issue. As the title of this issue suggests, the issue will contain configuration examples based on Teltonika and Mikrotik devices. Each config example will be added as a separate comment to make things easier and more understandable. I will also try to detail how running configuration looks like from CLI perspective.
List below is for each individual comment, in order: