Question

Hello,

i have configured an IPSEC vpn between frotigate and RUT240 device. tunnel is UP and i can ping hosts behind RUT240  from the Fortigate side.

but i have problem in reverse direction, when hotst , behind the teltonika is trying to ping host behind the fortigate firewall traffi does not goes throught VPN tunnel, it goes direclty to internet.

i think i need to exclude this traffic from NAT , but dont know where.

can you assist me ?

regards

Comments

Hello everyone,

i have done multiple troubleshooting steps. it appears that from the Teltonika side traffic goe via NAT. i am pinging with source address but traffic definitely is NAT-ed somewhere in Teltonika.

how to exclude that traffic from NAT ?

---

Hello everyone, 

 still strugling with firewall config. how to exclude VPN destinatin subnet from NAT ?

i need to have internet connection for 192.168.1.0/24 subnet and access to 192.168.10./24 subnet via VPN simultaneously  

firewall setup is following : 

in current setup, when masqarading enabled i have internet for 192.168.1.0/24 subnet, but no access to 192.168.10.0/24 throught VPN 

if i disable masquarading i dont have internet but have access to 192.168.10.0/24 via VPN tunnel.

i just need to exlude that specific destination 192.168.10.0/24 from masquarading. how to do that ?

thanks

Answer 1

Hello,

Please check the instruction guides for IPsec configuration between a Teltonika device and Fortigate firewall in the following links: 

• https://community.teltonika-networks.com/?qa=blob&qa_blobid=16198895679728135919
• https://community.teltonika-networks.com/?qa=blob&qa_blobid=8798207085581492826

Best regards,

Žygimantas

Comments

thanks for response. 

i followed that guides, and tunnel is up state. here is the IPSEC status:

from 172.21.22.1 i can ping 192.168.1.1, but not in reverse direction. 

traceroute fro teltonika shows that traffic is not inserted into ipsec tunnel : 

traceroute to 172.21.22.1 (172.21.22.1) from 192.168.1.1, 30 hops max, 38 byte packets

 1  *  *  *

 2  10.231.219.33 (10.231.219.33)  43.163 ms  27.694 ms  21.395 ms

 3  10.231.224.21 (10.231.224.21)  28.539 ms  23.795 ms  21.349 ms

 4  host-213-157-192-222.customer.magticom.ge (213.157.192.222)  26.357 ms  29.601 ms  23.324 ms

 5  host-213-157-192-213.customer.magticom.ge (213.157.192.213)  41.232 ms  26.412 ms  24.328 ms

 6  host-213-157-192-49.customer.magticom.ge (213.157.192.49)  21.295 ms  34.187 ms  24.681 ms

 7  84.44.20.157 (84.44.20.157)  45.259 ms  53.680 ms  49.217 ms

 8  10.135.54.117 (10.135.54.117)  56.351 ms  55.825 ms  51.350 ms

---

From ipsec status above you have 192.168.1.0./24 === 172.21.22.0/24 only the 192.168.10.0/24 is missing on the right side. Add it to rightsubnet / remote subnet and restart the tunnel.

---

Hi,

Ignore that screen shot about ipsec status. At this moment it is working as you described, in case of ipsec everything is ok.

I just need to make firewall rule , which is NAT ing everything, i need to exclude 192.168.10.0/24 from destination.

---

The firewall image in the previous section is much too small I can't read it.*

What is the output of iptables -t nat -n -L | grep policy on the router ?

---

Hi, 

here is screen from : iptables -t nat -n -L | grep policy 

here is the screen from General firewall configuration : 

from the above screenshot, you see that Masquarading is enabled. as soon as i disable it other side of VPN tunnel is accessible, but no internet access. if i disable it VPN peer LAN(192.168.10.0/24 ) is accessible, but no internet access.

---

The rule to exclude ipsec from nat is in Network->Firewall->Nat Rules it should be set to on by default. You can also add it manually: iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

---

thank you :) it works

i just pasted in custom rules that line : iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT