10416 questions

12418 answers

19277 comments

21741 members

+1 vote
313 views 28 comments
by
Hello,

I have a problem with my RUTX11 and a PC that uses Globalprotect VPN.

My wife, is teleworking and her company, uses the software "GlobalProtect" to connect in VPN on their server.

It worked very well in Wifi on the router with the firmware "RUTX_R_00.07.01" but since then the update to "RUTX_R_00.07.01.2" it no longer works, the software connects well but it does not have internet on the PC.

So I used the connection sharing of his iPhone instead of the wifi of the router and there it works well and when I go back to the wifi of the router it no longer works.

Do you have a lead?

Could the latest update have created this problem?

Best regards

2 Answers

0 votes
by

Hello,

Thanks for contacting TELTONIKA | Crowd-support forum.

Please try to reflash the firmware without keep setting. Enter in your router’s WebUI, go to System > Firmware > Update firmware > Flash new firmware and then upload the fw RUTX_R_00.07.01.2 without keep setting.

Here’s the link to download the fm version  RUTX_R_00.07.01.2.

https://wiki.teltonika-networks.com/view/RUTX11_Firmware_Downloads

In addition, the Wireless section of the Network tab can be used to manage and configure WiFi Access Points. you can delete the old ESSID and add a new ESSID either in 2.4 GHz band or 5 GHz band. you can also determine the type of Wi-Fi encryption used.

More information can be found here:

https://wiki.teltonika-networks.com/view/RUTX11_Wireless#Wireless_Security

Should you need any additional information please let us know. 

Best regards,

by
Hi!

does it work now for your wife? I got asked to downgrade but nah, and that was in another thread but I sent in a troubleshoot file.
by
Hello,

No I still have the same problem and like you they asked me to downgrade but I don't have time.
by
Is the Network->Firewall->Nat Rules->Exclude-IPsec-from-NAT checkbox set to On on the router ?
by

Hi, yesterday I installed 07.01.04 but it still doesnt work with Globalprotect VPN from Palo Alto.

I got an suggestion to check "Is the Network->Firewall->Nat Rules->Exclude-IPsec-from-NAT checkbox set to On on the router ?"

But there are no checkboxes on that page and I cant find any similar either.

I would very much like this €500  box to work as expected again!

by
Me neither, no change.

Personally, I will wait for version 7.2.
0 votes
by
Hello,

No I still have the same problem and like you they asked me to downgrade but I don't have time.
by
Hi, I don’t have that checkbox or any at all on that page and can’t find a similar either when I look around. And now I’m going back to Stockholm again. Maybe next time there will be a fix!
by

Then from a ssh or CLI console could you execute iptables-save | grep policy | grep ipsec ? The result should be like:

-A zone_wan_postrouting -m policy --dir out --pol ipsec -m comment --comment "!fw3: Exclude-IPsec-from-NAT" -j ACCEPT
-A zone_ipsec_forward -m comment --comment "!fw3: Zone ipsec to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to ipsec forwarding policy" -j zone_ipsec_dest_ACCEPT
by
There are no entries for ipsec in the iptables.
by

This is the issue, you must add the rules above. Do:

iptables -A zone_wan_postrouting -m policy --dir out --pol ipsec -m comment --comment "!fw3: Exclude-IPsec-from-NAT" -j ACCEPT
iptables -A zone_ipsec_forward -m comment --comment "!fw3: Zone ipsec to lan forwarding policy" -j zone_lan_dest_ACCEPT
iptables -A zone_lan_forward -m comment --comment "!fw3: Zone lan to ipsec forwarding policy" -j zone_ipsec_dest_ACCEPT
by

Hi! Finally I had the chance to test and I now nothing about iptables... and when I pasted the first line

iptables -A zone_wan_postrouting -m policy --dir out --pol ipsec -m comment --comment "!fw3: Exclude-IPsec-from-NAT" -j ACCEPT
I receieved
iptables: No chain/target/match by that name.
by

Sorry I forgot the -t nat option for the first command:

iptables -t nat -A zone_wan_postrouting -m policy --dir out --pol ipsec -m comment --comment "!fw3: Exclude-IPsec-from-NAT" -j ACCEPT
by
Hi agan and thanks, first line of commands worked but I got the same with the second

iptables: No chain/target/match by that name.

And inserting -t nat did not work :)
by
It seems that zones are missing. Check the page Network->Firewall->General Settings in the Zones->Forwardings section do you have lan=>ipsec and ipsec=>lan present (and both set to Accept/Accept/Accept) ?
by

Hi! No I have

LAN -> WAN Accept at all

WAN->REJECT REJ ACP REJ

I have not made any changes at all, and when I bought the router, everything worked out-of-the-box then after update RUTX_R_00.07.01.2 it stopped working, I have restored w/o saving settings, cleared wifi etc, all the tips I've got here.

/Frederic

by

So a zone seems to be missing in your config (why ?).

Go to Network->Firewall->General Settings and add one named ipsec in the zones section set "Allow forward to dest zones" and "Allow forward from source zones" to lan.

 

by

I think we are getting there (as to why it's missing, no idea - as I wrote it stopped working after a firmware upgrade). Now i can start Outlook (app in windows) and i can browse some sites, but not all and I can't reach corporate/internal stuff. And it's very slow.

Now I have

root@Teltonika-RUTX12:~# iptables-save | grep policy | grep ipsec

-A zone_ipsec_forward -m comment --comment "!fw3: Zone ipsec to lan forwarding policy" -j zone_lan_dest_ACCEPT

-A zone_lan_forward -m comment --comment "!fw3: Zone lan to ipsec forwarding policy" -j zone_ipsec_dest_ACCEPT

root@Teltonika-RUTX12:~#

Above you wrote "Check the page Network->Firewall->General Settings in the Zones->Forwardings section do you have lan=>ipsec and ipsec=>lan present (and both set to Accept/Accept/Accept)" And later to add one zone, which I did.

I also inserted iptables -t nat -A zone_wan_postrouting -m policy --dir out --pol ipsec -m comment --comment "!fw3: Exclude-IPsec-from-NAT" -j ACCEPT

but no difference and it disappears when i lookup the iptables later.

by

At least there is some progress. Go to Network->Firewall->Nat Rules, do you have a "Exclude-IPsec-from-NAT" rule there ?

If you don't add a section in /etc/config/firewall as:

config redirect            
        option proto 'any'             
        option name 'Exclude-IPsec-from-NAT'
        option extra '-m policy --dir out --pol ipsec'
        option vpn_type 'IPsec'
        option target 'ACCEPT' 
        option dest 'wan'

and restart the firewall: /etc/init.d/firewall restart.

Also check the ipsec zone as above, activate the MSS Clamping button.

by

Thanks again but no difference (almost giving up...). Such a hassle!

root@Teltonika-RUTX12:/etc/config# /etc/init.d/firewall restart

Warning: Section @zone[1] (wan) cannot resolve device of network 'mob2s1a1'

Warning: Option @zone[2].conntrack is unknown

Warning: Section @zone[2] (ipsec) has no device, network, subnet or extra options

Warning: Option @redirect[0].vpn_type is unknown

Warning: Option 'pscan'.port_scan is unknown

Warning: Section @zone[2] (ipsec) has no device, network, subnet or extra options

by

I am not sure about what is missing now, there is a new version 07.02.1 you can try to do an upgrade without keeping the settings. If you do that check that the 'Exclude-IPsec-from-NAT' rule is present even if not enabled before reconfiguring the device.

by
I'm already at that version and I have tried that before and I dont have the time to connect all IoT-stuff again without knowing for sure that it till work.

This has been going on since January (and there is at least one more in this thread with the same problem).

Thank you so much for your support but now I must check with the official.

Have a nice weekend,

Frederic