<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-7">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Yeah that was my understanding of it. The telsta.extranet APN gives us a proper public IP on the end device but still NAT’s the traffic.<br>
FortiGate do their own take on DMVPN but its proprietary to FortiOS and you require a FortiGate on each end. These RUTX11’s run RTSP video and audio streams back to our DC for live monitoring so the remote networks are small and low power consumption and the
RUTX11 is an amazing unit.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Going to play around with GRE over IPSEC as it is supported on both hardware. If that fails ill have to build our WAN up to IPv6 and try that.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Beeson, Ayden <abeeson@csu.edu.au>
<br>
<b>Sent:</b> Friday, 7 August 2020 5:30 PM<br>
<b>To:</b> Daniel Carpenter <daniel.carpenter@live.com><br>
<b>Subject:</b> Re: [AusNOG] IPsec issues over Telstra<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div id="divtagdefaultwrapper">
<p><span style="font-family:"Calibri",sans-serif;color:black">That is correct, you'll be given a dynamic IP that will be getting NAT'ed, which is a big part of why we went DMVPN as the spokes having dynamic NAT'ed IPs was problematic.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black">There are ways to get a static IP on Telstra mobile services but I believe they are being decommissioned if they haven't already.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black">IPv6 may be your best bet.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black">Cheers,<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black">Ayden<o:p></o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Daniel Carpenter <<a href="mailto:daniel.carpenter@live.com">daniel.carpenter@live.com</a>><br>
<b>Sent:</b> Friday, 7 August 2020 5:18:05 PM<br>
<b>To:</b> Beeson, Ayden<br>
<b>Subject:</b> Re: [AusNOG] IPsec issues over Telstra</span> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div id="nine_body_n173c7c-3ce9f">
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:#1F497D">Thanks for your responses. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:#1F497D">Unfortunately GRE and DMVPN are not available from the fortigate appliances. What appears to be happening is when the tunnel is formed the routes being made in the fortigate to
the end device are to an ipv4 address 1.x.x.x that is not the ip address on the mobile interface of the end device rutx11. And the pcap shows the packets coming from that same 1.x.x.x address. Wich to me suggests NAT I've had two days off so have not had the
chance to do any more troubleshooting from the end device. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
<div id="nine-sign-n173c7c-3ce9f">
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:#1F497D">Sent from
<a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fantispam.csu.edu.au%3A32224%2F%3FdmVyPTEuMDAxJiY4M2I5YjhiNTViOTUyMzIyYT01RjJEMDAzOV8yMDMwMF80OTUyXzEmJjM2NDE3MzNhYmMxNjgxMz0xMzMzJiZ1cmw9aHR0cCUzQSUyRiUyRnd3dyUyRTlmb2xkZXJzJTJFY29tJTJG&data=02%7C01%7C%7Cf3839ad7bd2d40d3868508d83aa3b775%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637323822118007266&sdata=TVq2uvM4b5SDQOE6VkQZDZX%2B6NUAOpSLGR5mVV2XJSo%3D&reserved=0">
<span style="color:#009BDF;text-decoration:none">Nine</span></a><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div id="quoted_header_n173c7c-3ce9f">
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" noshade="" style="color:#E1E1E1" align="center">
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> "Beeson, Ayden" <<a href="mailto:abeeson@csu.edu.au">abeeson@csu.edu.au</a>><br>
<b>Sent:</b> Friday, August 7, 2020 3:38 PM<br>
<b>To:</b> James Andrewartha; Daniel Carpenter<br>
<b>Cc:</b> <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG] IPsec issues over Telstra</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div id="x_divtagdefaultwrapper">
<p><span style="font-family:"Calibri",sans-serif;color:black">We've done it a bit (and are currently running some) on Telstra.internet (if I recall correctly) using DMVPN with Cisco gear to do it, so its not an exact match to your situation.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black">Never noticed any specific IKEv2 issues though.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black">Cheers,<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black">Ayden<o:p></o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> AusNOG <<a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a>>
on behalf of James Andrewartha <<a href="mailto:trs80@ucc.gu.uwa.edu.au">trs80@ucc.gu.uwa.edu.au</a>><br>
<b>Sent:</b> Friday, 7 August 2020 1:57:44 AM<br>
<b>To:</b> Daniel Carpenter<br>
<b>Cc:</b> <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG] IPsec issues over Telstra</span> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">On Thu, 6 Aug 2020, Daniel Carpenter wrote:<br>
<br>
> Anyone seeing any new issues forming IPsec IKEv2 tunnels over both Telstra.internet and Telstra.extranet lately? I¢ve been<br>
> trying to implement a new hub and spoke for a new environment using a HA pair of FortiGate 300e as the hub and Teltonika RUTX11<br>
> as the end devices. My P1 and P2 come up fine but have little luck sending any traffic. Static routes created with the tunnels<br>
> on both ends appear fine. I¢ve tested the RUTX11 on our external wan with a public IP out of our APNIC provided subnet and it<br>
> works flawlessly. Not operational yet luckily but if I cant figure it out in a week or two ill be forced to do it with OpenVPN.<br>
> Or configure it with IPv6.<br>
<br>
I can do it (IKEv1 though) with the embedded LTE modem in a FGT <br>
30E-3G4G-GBL, but if I use a Netgear LB2120 connected to the FGT, the VPN <br>
doesn't come up (I haven't investigated further yet due to lack of time).<br>
<br>
-- <br>
# TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \<br>
# UCC Wheel Member <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fantispam.csu.edu.au%3A32224%2F%3FdmVyPTEuMDAxJiZkYmUzYmZhNDA3ZGY2MDNjYj01RjJEMDAzOV8yMDMwMF80OTUyXzEmJmE3ODRhMjRiZGRjNmIwMz0xMzMzJiZ1cmw9aHR0cHMlM0ElMkYlMkZuYW0xMCUyRXNhZmVsaW5rcyUyRXByb3RlY3Rpb24lMkVvdXRsb29rJTJFY29tJTJGJTNGdXJsJTNEaHR0cCUyNTNBJTI1MkYlMjUyRnRyczgwJTJFdWNjJTJFYXNuJTJFYXUlMjUyRiUyNmFtcCUzQmRhdGElM0QwMiUyNTdDMDElMjU3QyUyNTdDMWRlMDBmZWM3MTAwNDU4YzM1YjEwOGQ4M2E5NDI2MzYlMjU3Qzg0ZGY5ZTdmZTlmNjQwYWZiNDM1YWFhYWFhYWFhYWFhJTI1N0MxJTI1N0MwJTI1N0M2MzczMjM3NTUyNTg3ODk0NjglMjZhbXAlM0JzZGF0YSUzRENhZmVMY092QXFZR29ObE9xeXRPa1ZteTBwaGVyJTI1MkZ6UU00RFdvRFJvYnYwJTI1M0QlMjZhbXAlM0JyZXNlcnZlZCUzRDA%3D&data=02%7C01%7C%7Cf3839ad7bd2d40d3868508d83aa3b775%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637323822118007266&sdata=GywQCflc4A5cOYRMQB8Nn2P3X49SwHri3cY9CcvHS1Q%3D&reserved=0">
http://trs80.ucc.asn.au/</a> #| what squirrels do best |<br>
[ "There's nobody getting rich writing ]| -- Collect and hide your |<br>
[ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 /<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>