Domnev: Difference between revisions

From Teltonika Networks Wiki
VisualWikitext
No edit summary
No edit summary
Line 32: Line 32:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# '''''Enable''''' instance
# '''''Enable''''' instance;
# Authentication method - '''''Pre-shared key'''''
# Authentication method - '''''Pre-shared key;'''''
# Pre-shared key - '''''your desired password'''''
# Pre-shared key - '''''your desired password;'''''
         </td>
         </td>
     </tr>
     </tr>
Line 49: Line 49:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# Mode - '''Start''';
# Mode - '''''Start;'''''
# Type - '''Tunnel''';
# Type - '''''Tunnel;'''''
# Local subnet - '''0.0.0.0/.0''';
# Local subnet - '''''0.0.0.0/.0;'''''
# Key exchange - '''IKEv2''';
# Key exchange - '''''IKEv2;'''''
         </td>
         </td>
     </tr>
     </tr>
Line 65: Line 65:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# '''Enable''' Local firewall;
# '''''Enable''''' '''''Local firewall;'''''
# Remote source IP - '''10.20.30.0/24''';
# Remote source IP - '''''10.20.30.0/24;'''''
# Remote DNS '''9.9.9.9''';
# Remote DNS '''''9.9.9.9;'''''
         </td>
         </td>
     </tr>
     </tr>
Line 82: Line 82:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# Encryption - '''AES256''';
# Encryption - '''''AES256;'''''
# Authentication - '''SHA512''';
# Authentication - '''''SHA512;'''''
# DH group - '''ECP521''';
# DH group - '''''ECP521;'''''
         </td>
         </td>
     </tr>
     </tr>
Line 97: Line 97:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# Encryption - '''AES128''';
# Encryption - '''''AES128;'''''
# Authentication - '''SHA256''';
# Authentication - '''''SHA256;'''''
# DH group - '''ECP521''';
# DH group - '''''ECP521;'''''
         </td>
         </td>
     </tr>
     </tr>
Line 115: Line 115:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# '''Enable''' instance;
# '''''Enable''''' instance;
# Remote endpoint - '''RUT1 public IP''';
# Remote endpoint - '''''RUT1 public IP;'''''
# Authentication method - '''Pre-shared key''';
# Authentication method - '''''Pre-shared key;'''''
# Pre-shared key - the '''same password''' you have '''set on''' '''RUT1''' when configuring '''HUB instance''';
# Pre-shared key - the '''''same password''''' you have '''''set on''''' '''''RUT1''''' when configuring '''''HUB instance;'''''
         </td>
         </td>
     </tr>
     </tr>
Line 133: Line 133:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# Mode - '''Start''';
# Mode - '''''Start;'''''
# Type - '''Tunnel''';
# Type - '''''Tunnel;'''''
# '''Enabled''' '''default route''';
# '''''Enable''''' '''''default route;'''''
# Key exchange - '''IKEv2''';
# Key exchange - '''''IKEv2;'''''
         </td>
         </td>
     </tr>
     </tr>
Line 150: Line 150:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# Encryption - '''AES256''';
# Encryption - '''''AES256;'''''
# Authentication - '''SHA512''';
# Authentication - '''''SHA512;'''''
# DH group - '''ECP521''';
# DH group - '''''ECP521;'''''
         </td>
         </td>
     </tr>
     </tr>
Line 165: Line 165:
     <tr>
     <tr>
         <td style="border-bottom: 4px solid white>
         <td style="border-bottom: 4px solid white>
# Encryption - '''AES128''';
# Encryption - '''''AES128;'''''
# Authentication - '''SHA256''';
# Authentication - '''''SHA256;'''''
# DH group - '''ECP521''';
# DH group - '''''ECP521;'''''
         </td>
         </td>
     </tr>
     </tr>
</table>
</table>
==Testing configuration==
After we establish the tunnel, we may observe the following information:
===RUT1 (HUB) side===
----
Using the <pre>ipsec statusall</pre> command we can see that the tunnel has been established.
<pre>
root@Teltonika-RUTX12:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.231, armv7l):
  uptime: 74 minutes, since Mar 21 08:52:39 2023
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Virtual IP pools (size/online/offline):
  10.20.30.0/24: 254/1/0
Listening IP addresses:
  84.xxx.xxx.xxx
  192.168.11.1
  fd93:51e6:6fe8::1
Connections:
  HUB-HUB_c:  %any...%any  IKEv2
  HUB-HUB_c:  local:  uses pre-shared key authentication
  HUB-HUB_c:  remote: uses pre-shared key authentication
  HUB-HUB_c:  child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
  HUB-HUB_c[2]: ESTABLISHED 74 minutes ago, 84.xxx.xxx.xxx[84.xxx.xxx.xxx]...88.xxx.xxx.xxx[192.168.86.197]
  HUB-HUB_c[2]: IKEv2 SPIs: ded11f31c20352dc_i 58ebc8d96264c21e_r*, pre-shared key reauthentication in 89 minutes
  HUB-HUB_c[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
  HUB-HUB_c{3}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c27cb140_i c7382615_o
  HUB-HUB_c{3}:  AES_CBC_128/HMAC_SHA2_256_128/ECP_521, 215536 bytes_i (1981 pkts, 1s ago), 126021 bytes_o (499 pkts, 1s ago), rekeying in 14 minutes
  HUB-HUB_c{3}:  0.0.0.0/0 === 10.20.30.1/32
</pre>


== See also ==
== See also ==


== External links ==
== External links ==

Revision as of 12:28, 21 March 2023

The information in this page is updated in accordance with 00.07.4 firmware version .

Introduction

Configuration overview and prerequisites

Before we begin, let's take a look at the configuration that we are attempting to achieve and the prerequisites that make it possible.

Prerequisites:

  • Two RUT/RUTX series routers with RUTOS firmware;
  • An end device (PC, Laptop) for configuration;

If you're having trouble finding any page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Basic" button under "Mode," which is located at the top-right corner of the WebUI.

Topology

RUT1 - RUTX11 as a hub. It will be our "default gateway" for spoke device. RUTX11 has a LAN subnet of 192.168.11.0/24 configured on it, which should be reachable by the spoke.

RUT2 - RUT955 as a spoke. It will be connecting to a hub for basic internet access. RUT955 has a lan subnet of 192.168.9.0/24 configured on it, which should be reachable by the hub.

RUT1 (Hub) configuration

Start by configuring HUB (RUT1) device. Login to the WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows.

Note: Not specified fields can be left as-is or changed according to your needs.

Instance configuration
  1. Enable instance;
  2. Authentication method - Pre-shared key;
  3. Pre-shared key - your desired password;

Connection configuration
  1. Mode - Start;
  2. Type - Tunnel;
  3. Local subnet - 0.0.0.0/.0;
  4. Key exchange - IKEv2;
  1. Enable Local firewall;
  2. Remote source IP - 10.20.30.0/24;
  3. Remote DNS 9.9.9.9;

Proposal configuration
  1. Encryption - AES256;
  2. Authentication - SHA512;
  3. DH group - ECP521;
  1. Encryption - AES128;
  2. Authentication - SHA256;
  3. DH group - ECP521;

RUT2 (Spoke) configuration

Login to the RUT2 WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows.

Instance configuration
  1. Enable instance;
  2. Remote endpoint - RUT1 public IP;
  3. Authentication method - Pre-shared key;
  4. Pre-shared key - the same password you have set on RUT1 when configuring HUB instance;

Connection configuration
  1. Mode - Start;
  2. Type - Tunnel;
  3. Enable default route;
  4. Key exchange - IKEv2;

Proposalconfiguration
  1. Encryption - AES256;
  2. Authentication - SHA512;
  3. DH group - ECP521;
  1. Encryption - AES128;
  2. Authentication - SHA256;
  3. DH group - ECP521;

Testing configuration

After we establish the tunnel, we may observe the following information:

RUT1 (HUB) side

Using the 

ipsec statusall

command we can see that the tunnel has been established. 

root@Teltonika-RUTX12:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.231, armv7l):
  uptime: 74 minutes, since Mar 21 08:52:39 2023
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Virtual IP pools (size/online/offline):
  10.20.30.0/24: 254/1/0
Listening IP addresses:
  84.xxx.xxx.xxx
  192.168.11.1
  fd93:51e6:6fe8::1
Connections:
   HUB-HUB_c:  %any...%any  IKEv2
   HUB-HUB_c:   local:  uses pre-shared key authentication
   HUB-HUB_c:   remote: uses pre-shared key authentication
   HUB-HUB_c:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
   HUB-HUB_c[2]: ESTABLISHED 74 minutes ago, 84.xxx.xxx.xxx[84.xxx.xxx.xxx]...88.xxx.xxx.xxx[192.168.86.197]
   HUB-HUB_c[2]: IKEv2 SPIs: ded11f31c20352dc_i 58ebc8d96264c21e_r*, pre-shared key reauthentication in 89 minutes
   HUB-HUB_c[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
   HUB-HUB_c{3}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c27cb140_i c7382615_o
   HUB-HUB_c{3}:  AES_CBC_128/HMAC_SHA2_256_128/ECP_521, 215536 bytes_i (1981 pkts, 1s ago), 126021 bytes_o (499 pkts, 1s ago), rekeying in 14 minutes
   HUB-HUB_c{3}:   0.0.0.0/0 === 10.20.30.1/32

See also

External links

Retrieved from "https://wiki.teltonika-networks.com/index.php?title=Domnev&oldid=105788"