8290 questions

9757 answers

15535 comments

13843 members

0 votes
4,999 views 6 comments
by
Hi I am trying to configure a RUT950 with an IPSEC VPN to a zyxel USG firewall.

I can get the IPSEC to connect ok to the zyxel USG but no traffic seems to be routing across the VPN.

I am on the latest firmware.

The RUT950 has been factory reset, and then the IPSEC credentials programmed. I can see from the USG that the tunnel builds, but i cannot ping across from the LAN of the RUT to the assigned LAN on the other end of the tunnel.

Can someone please help me, once the VPN is built, what are the next steps, IPSEC does not seem to have an object defined in the firewall. so i can not see a way to route the RUT LAN traffic to the USG LAN. I think the routing is the part i am missing. Please could someone explain to me what to do next?

Thanks
by
If RUT behind the NAT with dynamic WAN IP address, then it should be in active mode (initiator), where your USG in passive (for P1). If you run a ping from local to the remove host behind both peers, do you see, in the PCAP, ESP packets, if yes are they unidirectional? Just confirm which side actually encrypts data.
by
root@Pavlova-RUT240:~# ipsec status

Shunted Connections:

passthrough0:  192.168.1.0/24 === 192.168.1.0/24 PASS

passthrough1:  192.168.14.0/24 === 192.168.14.0/24 PASS

Security Associations (1 up, 0 connecting):

     EdgeMAX[38]: ESTABLISHED 5 minutes ago, 10.3.171.183[10.48.88.4]...xxxxxxxxxxxxxx

     EdgeMAX{67}:  INSTALLED, TUNNEL, reqid 9, ESP in UDP SPIs: c2b88b6e_i c943a5d2_o

     EdgeMAX{67}:   192.168.14.0/24 === 192.168.1.0/24

root@Pavlova-RUT240:~#

As you can see you missing remote subnet (remote Proxy ID)

Difference between a route and policy-based VPN described below:

https://blog.webernetz.net/route-vs-policy-based-vpn-tunnels

There is no virtual/tunnel interface created when using policy-based VPN, hence you cannot use any routing protocols. With policy-based VPN traffic is encrypted per policy (ACLs). If the traffic matches the policy (sometimes it calls interesting traffic), it gets encrypted and sent out WAN interface to its destination.
by
Hi Dave,

 Did you find out the solution as I have the same issue with  IPSec is up but no traffic from Rut240 to Wan

Cheers

IT Person

1 Answer

+1 vote
by
As far as l am aware RUT builds policy-based VPN, so no routing required. Are you sure your local/remote subnet(s) match between the peers (other vendors call it "Proxy-IDs")?

If they mismatch, P1 can be "UP", but P2 will be flapping.
by
Hi thanks for that. As far as I can see on the USG IPSEC monitor, it doesn't flap, the connection stays up, just no routing between the two devices. I've configured alot of devices over the years, but this one has me stumped.

The only other thing I can see is my USG IPSEC is configured as site to site dynamic peer, as the RUT obviously does not have a fixed WAN IP, should this be in a Master / Slave configuration instead?

Thanks again
by
There is definitely something not right with the configuration of the RUT950.

I have started again with a different firewall, and again the IPSEC tunnel builds, and i can see my firewall is forwarding traffic to the LAN of the RUT950 via the IPSEC tunnel. So i know 100% my end is correct. I have always had to set up a routing rule on any firewall that says if your on LANx and your destination is LANxx route via appropriate VPN. This is the bit I am sure is missing in the RUT config. How does it know how to send traffic through the IPSEC tunnel once built? It just does not make sense to me!?

Can anyone point me in the right direction?
by


root@Teltonika-RUT950:~# ipsec status
Shunted Connections:
passthrough0: 192.168.20.0/24 === 192.168.20.0/24 PASS
Security Associations (1 up, 0 connecting):
HO_VPN[1]: ESTABLISHED 23 minutes ago, 10.176.106.204[10.176.106.204]...xxx.69.xxx.18[xxx.69.xxx.18]
HO_VPN{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd6041fe_i 6047679d_o
HO_VPN{1}: 192.168.20.0/24 === 192.168.100.0/24
root@Teltonika-RUT950:~# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
^C
--- 192.168.100.1 ping statistics ---
11 packets transmitted, 0 packets received, 100% packet loss
root@Teltonika-RUT950:~#
192.168.100.1 is the gateway of my firewall LAN. as you can see, the connection is built, but no routing throught the tunnel!!! HELP! ahhh