WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT240 - Sonicwall IPSec Tunnel doesn't routes to hosts behind gateways

0 votes
652 views 16 comments
by anonymous

Hello Everyone,

i've setup an IPSec tunnel between my main gateway, a Sonicwall firewall, and a RUT240 off-site, following this guide https://kaunas.teltonika.lt:444/f/6d6b4731ea324fc881b9/?dl=1

Sonicwall LAN --> 192.168.1.0/24
RUT240 LAN --> 192.168.30.0/24

The tunnel is active, as shown in sonicwall webUI and also with an ipsec status on RUT240.
From my hostin Sonicwall LAN i can ping RUT240 (192.168.30.1), i can connect to it via ssh and then i can successfully ping and connect to hosts behind RUT240 (e.g. 192.168.30.52).

However, i can't directly ping or ssh into the mentioned hosts.

I've checked for firewall rules and also tried to add static routes for my Sonicwall LAN on RUT240, without succeeding. I'm out of ideas, could you please help me sort this out?

Thank you all in advance.

1 Answer

0 votes
by anonymous
Hello,

What are the leftsubnet and rightsubnet values on both sides of the tunnel ?

Sonicwall side: leftsubnet: 192.168.1.0/24, rightsubnet:192.168.30.0/24 at minima
RUT side: leftsubnet:192.168.30.0/24, rightsubnet:192.168.1.0/24 idem at minima

Regards,
by anonymous

Yes, you're schema is correct.

I've now checked how i can reach an host while masquerading is enabled on LAN. But is this the optimal configuration?
I've also forgot to mention that the RUT240 is connected to Internet via a 4G SIM and does not have a public IP.
 

by anonymous
Masquerading isn't the optimal configuration, setting the correct left and right subnets is cleaner and make things easier to control/debug if something doesn't work as expected.
by anonymous

Ok, but i don't understand how to achieve this. Could you please point me out to what i'm getting wrong here?

I'll attach ipsec.conf from RUT240:
conn sonicwall
       left=%any4
       leftid=*****
       leftsubnet=192.168.30.0/24
       leftauth=psk
       rightauth=psk
       authby=secret
       right=*sonicwall public IP*
       rightid=%any
       keyexchange=ikev1
       leftfirewall=yes
       rightfirewall=yes
       auto=start
       type=tunnel
       aggressive=yes
       dpdaction=none
       dpddelay=30
       dpdtimeout=150
       forceencaps=no
       keyingtries=%forever
       ike=3des-sha1-modp1536
       ikelifetime=28800s
       esp=3des-sha1
       keylife=28800s
       rightsubnet=192.168.1.0/24

And Sonicwall VPN>Network Tab has been configured as:

Local Network: 192.168.1.0/24
Remote Network: 192.168.30.0/24

Thank you in advance for your help.


 

by anonymous
To diagnose the issue:

1) from a device on the Sonicwall side, ping an ip in 192.168.30.0/24
2) on the RUT: tcpdump -i any -n -v 'icmp and host the_ip_above'

What do you see ?
by anonymous

RUT240 apparently sees the ping requests:

user@RUT240:# tcpdump -i any -n -v 'icmp and host 192.168.1.X'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:32:52.132075 IP (tos 0x0, ttl 64, id 21873, offset 0, flags [DF], proto ICMP (1), length 84)
   192.168.1.X > 192.168.30.X: ICMP echo request, id 68, seq 1, length 64

On 192.168.1.X side the ping just hangs without response.

by anonymous
And what is the default route on your 192.168.30.X device, it doesn't seem to know how to reply ?
by anonymous

ip route doesn't show any entry for 192.168.1.0, only possibly relevant entry i can see is the following:

default via *RUT240_ip* dev eth proto dhcp src 192.168.30.X metric 100


should i add a static route to 192.168.1.0/24? on the host or on the router?
I've already tried to do so but i think i messed up with the gateway to use as i was receiving a network error preventing me to add it.

by anonymous
This *RUT240_ip*, is it 192.168.30.1 ? Is the lan->ipsec forwarding rule set to Accept on the RUT ?
by anonymous

Answer to your first question is yes.
Regarding the latest, i can't seem to find the IPsec option in Zone Forwarding section.
According to this https://community.teltonika-networks.com/27587/missing-ipsec-zone there's no real one as IPsec doesn't generate its own virtual interface. It suggests to enable passthrough in IPsec configuration, which i did, without success.

I had already tried to setup the following forward rule, which was also not working.

What am i missing here?

by anonymous
This 192.168.30.X from above, does it exist ? Is it pingable directly from the RUT ?
by anonymous
Of course, whit my initial setup i could also ssh into it while connected via CLI to the RUT240.
As i've mentioned short after my original post, i can also communicate with it with masquerading activated, but i'm convinced this is a non optimal configuration, as you too have confirmed.
As for now i can't quite understand why the configuration doesn't work properly when masquerading is off.
by anonymous
Strange. Can you execute the tcpdump as above but on 192.168.30.X device and ping it from the Sonicwall side ?
by anonymous
Currently we're using it under the workaround configuration, i will get back to you as soon as i manage to restore the original one and perform the test. Thank you very much.
by anonymous
Do you have a firewall active on your 192.168.30.X device ? I find strange that there is no reply from the ICMP echo request ... nor other ICMP unreachable/other error coming back.

Sorry there was a type in the target of the ping, it was of course ping 192.168.30.X idem for the tcpdump, tcpdump -i any -n -v 'icmp and host 192.168.30.X'
by anonymous

Good Morning,
there's no firewall on 192.168.30.X, actually i've verified firewall was inactive and also tried to disable it manually.

I've tried the tcpdump as you mentioned, but i can notice the same behaviour:

myuser@RUT240:~# tcpdump -i any -n -v 'icmp and host 192.168.30.X'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:29:49.434970 IP (tos 0x0, ttl 64, id 32131, offset 0, flags [DF], proto ICMP (1), length 84)
   192.168.1.X > 192.168.30.X: ICMP echo request, id 7, seq 60, length 64

On 192.168.1.X the ping hangs indefinetly:

myuser@mymachine:~$ ping 192.168.30.X
PING 192.168.30.X (192.168.30.X) 56(84) bytes of data.
^C
--- 192.168.30.X ping statistics ---
200 packets transmitted, 0 received, 100% packet loss, time 203765ms


 

by anonymous
And what is the output of a tcpdump -n -v icmp on the 192.168.30.X ?