[AusNOG] IPsec issues over Telstra

Daniel Carpenter daniel.carpenter at live.com
Fri Aug 7 21:42:03 EST 2020

Yeah that was my understanding of it. The telsta.extranet APN gives us a proper public IP on the end device but still NAT's the traffic.
FortiGate do their own take on DMVPN but its proprietary to FortiOS and you require a FortiGate on each end. These RUTX11's run RTSP video and audio streams back to our DC for live monitoring so the remote networks are small and low power consumption and the RUTX11 is an amazing unit.

Going to play around with GRE over IPSEC as it is supported on both hardware. If that fails ill have to build our WAN up to IPv6 and try that.

From: Beeson, Ayden <abeeson at csu.edu.au>
Sent: Friday, 7 August 2020 5:30 PM
To: Daniel Carpenter <daniel.carpenter at live.com>
Subject: Re: [AusNOG] IPsec issues over Telstra

That is correct, you'll be given a dynamic IP that will be getting NAT'ed, which is a big part of why we went DMVPN as the spokes having dynamic NAT'ed IPs was problematic.

There are ways to get a static IP on Telstra mobile services but I believe they are being decommissioned if they haven't already.

IPv6 may be your best bet.



From: Daniel Carpenter <daniel.carpenter at live.com<mailto:daniel.carpenter at live.com>>
Sent: Friday, 7 August 2020 5:18:05 PM
To: Beeson, Ayden
Subject: Re: [AusNOG] IPsec issues over Telstra

Thanks for your responses.
Unfortunately GRE and DMVPN are not available from the fortigate appliances. What appears to be happening is when the tunnel is formed the routes being made in the fortigate to the end device are to an ipv4 address 1.x.x.x that is not the ip address on the mobile interface of the end device rutx11. And the pcap shows the packets coming from that same 1.x.x.x address. Wich to me suggests NAT I've had two days off so have not had the chance to do any more troubleshooting from the end device.

Sent from Nine<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fantispam.csu.edu.au%3A32224%2F%3FdmVyPTEuMDAxJiY4M2I5YjhiNTViOTUyMzIyYT01RjJEMDAzOV8yMDMwMF80OTUyXzEmJjM2NDE3MzNhYmMxNjgxMz0xMzMzJiZ1cmw9aHR0cCUzQSUyRiUyRnd3dyUyRTlmb2xkZXJzJTJFY29tJTJG&data=02%7C01%7C%7Cf3839ad7bd2d40d3868508d83aa3b775%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637323822118007266&sdata=TVq2uvM4b5SDQOE6VkQZDZX%2B6NUAOpSLGR5mVV2XJSo%3D&reserved=0>
From: "Beeson, Ayden" <abeeson at csu.edu.au<mailto:abeeson at csu.edu.au>>
Sent: Friday, August 7, 2020 3:38 PM
To: James Andrewartha; Daniel Carpenter
Cc: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] IPsec issues over Telstra

We've done it a bit (and are currently running some) on Telstra.internet (if I recall correctly) using DMVPN with Cisco gear to do it, so its not an exact match to your situation.

Never noticed any specific IKEv2 issues though.



From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> on behalf of James Andrewartha <trs80 at ucc.gu.uwa.edu.au<mailto:trs80 at ucc.gu.uwa.edu.au>>
Sent: Friday, 7 August 2020 1:57:44 AM
To: Daniel Carpenter
Cc: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] IPsec issues over Telstra

On Thu, 6 Aug 2020, Daniel Carpenter wrote:

> Anyone seeing any new issues forming IPsec IKEv2 tunnels over both Telstra.internet and Telstra.extranet lately? I’ve been
> trying to implement a new hub and spoke for a new environment using a HA pair of FortiGate 300e as the hub and Teltonika RUTX11
> as the end devices. My P1 and P2 come up fine but have little luck sending any traffic. Static routes created with the tunnels
> on both ends appear fine. I’ve tested the RUTX11 on our external wan with a public IP out of our APNIC provided subnet and it
> works flawlessly. Not operational yet luckily but if I cant figure it out in a week or two ill be forced to do it with OpenVPN.
> Or configure it with IPv6.

I can do it (IKEv1 though) with the embedded LTE modem in a FGT
30E-3G4G-GBL, but if I use a Netgear LB2120 connected to the FGT, the VPN
doesn't come up (I haven't investigated further yet due to lack of time).

# TRS-80              trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member     http://trs80.ucc.asn.au/<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fantispam.csu.edu.au%3A32224%2F%3FdmVyPTEuMDAxJiZkYmUzYmZhNDA3ZGY2MDNjYj01RjJEMDAzOV8yMDMwMF80OTUyXzEmJmE3ODRhMjRiZGRjNmIwMz0xMzMzJiZ1cmw9aHR0cHMlM0ElMkYlMkZuYW0xMCUyRXNhZmVsaW5rcyUyRXByb3RlY3Rpb24lMkVvdXRsb29rJTJFY29tJTJGJTNGdXJsJTNEaHR0cCUyNTNBJTI1MkYlMjUyRnRyczgwJTJFdWNjJTJFYXNuJTJFYXUlMjUyRiUyNmFtcCUzQmRhdGElM0QwMiUyNTdDMDElMjU3QyUyNTdDMWRlMDBmZWM3MTAwNDU4YzM1YjEwOGQ4M2E5NDI2MzYlMjU3Qzg0ZGY5ZTdmZTlmNjQwYWZiNDM1YWFhYWFhYWFhYWFhJTI1N0MxJTI1N0MwJTI1N0M2MzczMjM3NTUyNTg3ODk0NjglMjZhbXAlM0JzZGF0YSUzRENhZmVMY092QXFZR29ObE9xeXRPa1ZteTBwaGVyJTI1MkZ6UU00RFdvRFJvYnYwJTI1M0QlMjZhbXAlM0JyZXNlcnZlZCUzRDA%3D&data=02%7C01%7C%7Cf3839ad7bd2d40d3868508d83aa3b775%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637323822118007266&sdata=GywQCflc4A5cOYRMQB8Nn2P3X49SwHri3cY9CcvHS1Q%3D&reserved=0> #|  what squirrels do best     |
[ "There's nobody getting rich writing          ]|  -- Collect and hide your   |
[  software that I know of" -- Bill Gates, 1980 ]\  nuts." -- Acid Reflux #231 /
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20200807/d8ab2422/attachment.html>

More information about the AusNOG mailing list