WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

IPSEC SA estabished but no traffic nor ping possible

0 votes
1,115 views 3 comments
by anonymous
Hi,

We have a sophos firewall with a lot of IPSec-Tunnels. There some working tunnel with RUT 230. One RUT 230 Tunnel is up, but the Traffic nor a ping does not go through. The configuration is always the same. The only difference ist that the tunnel with the problem has no Windows client in LAN. I also cannot reach the RUT web interface on this router. Do I need to define some routes when I don't use a Windows Client behind the RUT?

Non Windows client <-> RUT 230 <-> IPSEC-Tunnel <-> Sophos <-> Home-Network

Regards

1 Answer

0 votes
by anonymous
Hi,

What exactly no windows client we're talking about?

What I would suggest is looking if your router is on the latest firmware release. After that please check this wiki post to check if everything that you already configured is right.

https://wiki.teltonika-networks.com/view/IPsec_configuration_examples

Also, you could run a ping and traceroute to see where your ping stops and then check that exact stopped address firewall rules.

If the firewall is okay, maybe indeed there's a route missing.

EB.
by anonymous
Hi,

the router has 1.13.3. I will be carefully because of my other problem with 1.14.

The Ping and Traceroute to adresses in the internet ist possible. To the internal adress I got no hops. I think it is because of the tunnel. Also in tunnel who are working I only see one hop to the firewall. Maybe it is a routing problem in the RUT 230? Normally I don´t need to define routes for the IPSec in the RUT 230. What route definitions can I test in the RUT 230?

Regards.
by anonymous
If the hop stops on the firewall, then it must be Sophos that isn't routed well.

You must create a route from Sophos to the other site in this case.

EB.
by anonymous

Thank you for your message. I cannot find the failure. The non windows client is a simple ethernet to serial converter with static IP. But I cannot reach the web UI form the RUT, and I think this must be the first step.

Here the routing information:

The Sophos route:

image image TestTun [1 of 1 IPsec SAs established]
image

SA: 192.168.xxx.0/24=81... image 217...=192.168.xxx.8/29
VPN ID: 81...
IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 7800s / PFS MODP_1024 / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 3600s
image

 Tracerout from sopohos to RUT

traceroute to 192.168.xxx.8 (192.168.xxx.8), 30 hops max, 40 byte packets using UDP

 1  * * *

 2  * * *

 3  * * *

 4  * * *

 5  * * *

 6  * * *

Traceroute from RUT to sophos:


traceroute to 192.168.xxx.253 (192.168.xxx.253), 30 hops max, 38 byte packets 1 * 2 * 3 * 4 * 5 * 6 * 7 * 8 * 9 * 10 * 11 * 12 * 13 * 14 * 15 * 16 * 17 * 18 * 19 * 20 * 21 * 22 * 23 * 24 * 25 * 26 * 27 * 28 * 29 * 30 *



IPSec statusall on RUT:

Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.18.44, mips):

uptime: 5 days, since May 05 12:01:53 2021

malloc: sbrk 139264, mmap 0, used 124032, free 15232

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7

loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:

172...

192.168.xxx.8

Connections:

EWBHKWTun: %any4...81... IKEv1, dpddelay=30s

EWBHKWTun: local: [any4] uses pre-shared key authentication

EWBHKWTun: remote: [81...] uses pre-shared key authentication

EWBHKWTun: child: 192.168.xxx.8/29 === 192.168.yyy.0/24 TUNNEL, dpdaction=restart

passthrough0: %any...%any IKEv1/2

passthrough0: local: uses public key authentication

passthrough0: remote: uses public key authentication

passthrough0: child: 192.168.190.8/29 === 192.168.190.8/29 PASS

Shunted Connections:

passthrough0: 192.168.190.8/29 === 192.168.190.8/29 PASS

Security Associations (1 up, 0 connecting):

EWBHKWTun[63]: ESTABLISHED 35 minutes ago, 172...[any4]...81...[81..]

Tun[63]: IKEv1 SPIs: 04590ee024f60745_i* 99f112cff56bea7e_r, pre-shared key reauthentication in 77 minutes

Tun[63]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

Tun{163}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: c58dea30_i 2e4d2a5b_o

Tun{163}: AES_CBC_256/HMAC_MD5_96/MODP_1024, 0 bytes_i, 1140 bytes_o (30 pkts, 319s ago), rekeying in 10 minutes

Tun{163}: 192.168.xxx.8/29 === 192.168.yyy.0/24