Difference between revisions of "Template:Default route configuration Teltonika to Teltonika"

Revision as of 16:42, 11 April 2023

The information on this page is updated in accordance with the 00.07.4 firmware version .

Introduction

Normally we configure IPsec for LAN-to-LAN communication which is also known as split-tunnel VPN when only specific hosts should be reachable via VPN tunnel. However, we may also take a different approach and configure VPN tunnel using full-tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via typical default route.

Configuration overview and prerequisites

Before we begin, let's take a look at the configuration that we are attempting to achieve and the prerequisites that make it possible.

Prerequisites:

Two RUT/RUTX series routers with RUTOS firmware;
An end device (PC, Laptop) for configuration;

If you're having trouble finding any page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Basic" button under "Mode," which is located at the top-right corner of the WebUI.

Topology

RUT1 - RUTX12 as a hub. A hub is a server, to which our spoke will be connecting (IPsec responder). It will be our "default gateway" for the spoke device. RUTX12 has a LAN subnet of 192.168.11.0/24 configured on it, which should be reachable by the spoke.

RUT2 - RUT955 as a spoke. A spoke is a client, that will be connected to the spoke (IPsec initiator). It will be connected to a hub for basic internet access. RUT955 has a LAN subnet of 192.168.9.0/24 configured on it.

RUT1 (Hub) configuration

Start by configuring the hub (RUT1) device. Login to the WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows.

Note: Not specified fields can be left as is or changed according to your needs.

Instance configuration


Enable instance; Authentication method - Pre-shared key; Pre-shared key - your desired password;

Connection configuration


Mode - Start; Type - Tunnel; Local subnet - 0.0.0.0/.0; Key exchange - IKEv2;


Enable Local firewall; Remote source IP - 10.20.30.0/24; Remote DNS - 9.9.9.9;

Proposal configuration


Encryption - AES256; Authentication - SHA512; DH group - ECP521; Force crypto proposal - enabled.


Encryption - AES128; Authentication - SHA256; DH group - ECP521; Force crypto proposal - enabled.

Force crypto proposal option as it simplifies which algorithm suite will be used for both phases.

RUT2 (Spoke) configuration

Login to the RUT2 WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows.

Note: Not specified fields can be left as is or changed according to your needs.

Instance configuration


Enable instance; Remote endpoint - RUT1 public IP; Authentication method - Pre-shared key; Pre-shared key - the same password you have set on RUT1 when configuring HUB instance;

Connection configuration


Mode - Start; Type - Tunnel; Enable default route; Key exchange - IKEv2;

Proposal configuration


Encryption - AES256; Authentication - SHA512; DH group - ECP521; Force crypto proposal - enabled.


Encryption - AES128; Authentication - SHA256; DH group - ECP521; Force crypto proposal - enabled.

Force crypto proposal option as it simplifies which algorithm suite will be used for both phases.

Testing the configuration

If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly.

Using the ipsec status command we can see that IPsec tunnel is successfully established on both routers. The command output on a hub (RUT1) device:

The same command output on spoke (RUT2) device:

Also, as the hub should be reachable by spoke, we can try pinging the hub using ping 192.168.11.1:

External links

OpenWrt IPsec basics

@@ Line 1: / Line 1: @@
-<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.08'''] firmware version .</p>
+<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.4'''] firmware version .</p>
 ==Introduction==
 Normally we configure IPsec for LAN-to-LAN communication which is also known as split-tunnel VPN when only specific hosts should be reachable via VPN tunnel. However, we may also take a different approach and configure VPN tunnel using full-tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via typical default route.
@@ Line 31: / Line 31: @@
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white"; rowspan=2>[[File:RutOS_default_route_teltonika_IPSEC_7.8_instance_hub.png|border|class=tlt-border|755x406px|right]]</th>
+         <th width=800; style="border-bottom: 1px solid white"; rowspan=2>[[File:IPsec HUB.png|border|class=tlt-border|755x406px|right]]</th>
      </tr>
      <tr>
@@ Line 48: / Line 48: @@
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_default_route_teltonika_IPSEC_7.8_connection_hub.png|border|class=tlt-border|753x368px|right]]</th>
+         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:IPsec HUB Connection.png|border|class=tlt-border|753x368px|right]]</th>
      </tr>
      <tr>
@@ Line 64: / Line 64: @@
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_default_route_teltonika_IPSEC_7.8_connection_hub_advanced.png|border|class=tlt-border|752x541px|right]]</th>
+         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:IPsec HUB Connection Advanced.png|border|class=tlt-border|752x541px|right]]</th>
      </tr>
      <tr>
@@ Line 75: / Line 75: @@
 </table>
-====Proposal configuration====
+===Proposal configuration===
-'''Important:''' Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.
 ----
-'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
-Make the following changes:
 <table class="nd-othertables_2">
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
+         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:IPsec Phase1.png|border|class=tlt-border|742x254px|right]]</th>
      </tr>
      <tr>
@@ Line 90: / Line 87: @@
 # Encryption - '''''AES256;'''''
 # Authentication - '''''SHA512;'''''
-# DH group - '''''MODP4096;'''''
+# DH group - '''''ECP521;'''''
-# IKE lifetime - '''86400s'''.
+# Force crypto proposal - '''enabled'''.
          </td>
      </tr>
@@ Line 100: / Line 97: @@
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
+         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:IPsec Phase2.png|border|class=tlt-border|748x257px|right]]</th>
      </tr>
      <tr>
          <td style="border-bottom: 4px solid white>
-# Encryption - '''''AES256;'''''
+# Encryption - '''''AES128;'''''
-# Authentication - '''''SHA512;'''''
+# Authentication - '''''SHA256;'''''
-# PFS group - '''''MODP4096;'''''
+# DH group - '''''ECP521;'''''
-# Lifetime – '''''86400s;'''''
+# Force crypto proposal - '''enabled'''.
          </td>
      </tr>
 </table>
+'''Force crypto proposal''' option as it simplifies which algorithm suite will be used for both phases.
 ==RUT2 (Spoke) configuration==
@@ Line 121: / Line 120: @@
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_default_route_teltonika_IPSEC_7.8_instance_spoke.png|border|class=tlt-border|742x399px|right]]</th>
+         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:IPsec SPOKE.png|border|class=tlt-border|742x399px|right]]</th>
      </tr>
      <tr>
@@ Line 139: / Line 138: @@
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_default_route_teltonika_IPSEC_7.8_connection_spoke.png|border|class=tlt-border|761x280px|right]]</th>
+         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:IPsec SPOKE Connection.png|border|class=tlt-border|761x280px|right]]</th>
      </tr>
      <tr>
@@ Line 151: / Line 150: @@
 </table>
-====Proposal configuration====
+===Proposal configuration===
-'''Important:''' Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.
 ----
-'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
-Make the following changes:
 <table class="nd-othertables_2">
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
+         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:IPsec Phase1.png|border|class=tlt-border|742x254px|right]]</th>
      </tr>
      <tr>
@@ Line 166: / Line 161: @@
 # Encryption - '''''AES256;'''''
 # Authentication - '''''SHA512;'''''
-# DH group - '''''MODP4096;'''''
+# DH group - '''''ECP521;'''''
-# IKE lifetime - '''86400s'''.
+# Force crypto proposal - '''enabled'''.
          </td>
      </tr>
@@ Line 176: / Line 171: @@
      <tr>
          <th width=330; style="border-bottom: 1px solid white;></th>
-         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
+         <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:IPsec Phase2.png|border|class=tlt-border|748x257px|right]]</th>
      </tr>
      <tr>
          <td style="border-bottom: 4px solid white>
-# Encryption - '''''AES256;'''''
+# Encryption - '''''AES128;'''''
-# Authentication - '''''SHA512;'''''
+# Authentication - '''''SHA256;'''''
-# PFS group - '''''MODP4096;'''''
+# DH group - '''''ECP521;'''''
-# Lifetime – '''''86400s;'''''
+# Force crypto proposal - '''enabled'''.
          </td>
      </tr>
 </table>
+'''Force crypto proposal''' option as it simplifies which algorithm suite will be used for both phases.
 ==Testing the configuration==

Namespaces

Variants

Views

More

Search

Difference between revisions of "Template:Default route configuration Teltonika to Teltonika"

Revision as of 16:42, 11 April 2023

Contents

Introduction

Configuration overview and prerequisites

Topology

RUT1 (Hub) configuration

Instance configuration

Connection configuration

Proposal configuration

RUT2 (Spoke) configuration

Instance configuration

Connection configuration

Proposal configuration

Testing the configuration

See also

External links

Navigation menu

Personal tools

NAVIGATION

Tools

Categories