8392 questions

9870 answers

15658 comments

14141 members

0 votes
70 views 1 comments
by

Hi, 

I have set up an IPsec tunnel to HQ using RUT955. Behind the RUT is the 192.168.52.0/24 subnet which should not be routed through the tunnel. I created a sub-interface on the wan 10.43.116.0/24 which is the tunnel's local address. Tunnel is up and running. I have created a destination nat using iptables -t nat -I PREROUTING -d 10.43.116.1 -j DNAT --to-destination 192.168.52.1 and a source nat using iptables -t nat -A POSTROUTING -s 10.43.116.21 -j SNAT --to-source 192.168.52.1 in the firewall-> custom rule section. 

ISSUE

Traffic from HQ 192.168.100.0/24 subnet can reach 192.168.52.0/24 but 192.168.52.0/24 cannot reach the HQ.

Please tell me what am missing

1 Answer

0 votes
by

Hi,

If I understand your issue correctly, you'd like to masquerade your RUT955  LAN subnet 192.168.52.1 to WAN IP 10.43.116.1, so devices in HQ side of ipsec tunnel would see requests only from 10.43.116.1 IP and not 192.168.52.X, is that correct?

Also in your SNAT Iptables rule I’ve noticed that you’re using IP 10.43.116.21, was it mistyped? If not, could you PM me your network topology and troubleshoot file from your RUT955 so I could look into your current configuration. I’ll also look into the possibility to enable NAT for ipsec as by default there’s a firewall rule which exempts traffic that matches an IPsec policy from the NAT rule.

Troubleshoot file can be downloaded from WebUI -> System -> Administration -> Troubleshoot.

Regards,

Martynas

by

Yes, that's correct. Pings from HQ to 10.43.116.1 works but pings from 192.168.52.1 to HQ servers doesn't. 

Yes, That must be a typo error with the 10.43.116.21 address. Please how do I PM you so I can send you the troubleshoot file and topology? There's no option on my account to do that. 

I think the issue is the firewall rule. The NAT address is not using the tunnel. I can reach the internet and not the private subnets. Please see the topology below.

Regards,

Milo