subscribe to our Youtube


13255 questions

15745 answers


49934 members

0 votes
147 views 8 comments

I have managed to successfully establish an IPSec IKEv2 connection from my RUT240 (to an Azure VPN Gateway).

However, I am then not able to ping or connect RUT-->Azure.
Surprisingly, I am able to ping Azure-->RUT, after which the connection seems to "open" and I am able to connect RUT-->Azure.

This doesn't seem to last though. Over night the problem returned and I had to repeat the trick of first pinging Azure-->RUT.

What configuration settings could be missing?
The tutorials suggest that it should just "work" after setting up the IPSec connection.

Firmware: RUT2_R_00.07.02.7


1 Answer

0 votes

Have you tried with Mode set to Route in Connection Settings->General Settings ?


I tried your suggestion, but unfortunately it didn't help. I think that option only specifies what should happen when the device starts (connect immediately or only once there is traffic.)

I am now in a situation where I can ping RUT-->Azure from the RUT240 device itself (via CLI), but not from the LAN attached to the RUT.

How can I set up a route (?) to tell the RUT to send requests from LAN through the tunnel, if they are targeting the remote subnet?

On the RUT side, you need to set "Local Subnet" to your local lan subnet + local IPSEC endpoint and "Remote subnet" to the remote lan subnet + remote IPSEC endpoint.

On the Azure side, set leftsubnet to the azure subnet + local IPSEC endpoint, and rightsubnet to the lan subnet of the RUT + the remote IPSEC endpoint.

The default routes should take care of the rest.

I have all of these settings - the tunnel itself seems to work fine.

The issue is just that the RUT240 does not seem to be sending appropriate traffic through the tunnel. The other direction works fine.
I think it might be missing a route or firewall setting, but I can't find any information as to how to set this up, since the tutorials on the wiki imply that it should just work.

If it helps I believe this is a "route-based" VPN and not a "policy-based" VPN.

Can you check that the 'Exclude IPSEC from NAT" rule is enabled:

iptables -t nat -n -L | grep ipsec | grep policy

If the output is empty go to Network->Firewall->Nat rules and enable it, or add the following command to Network->Firewall->Custom rules:

iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT


Thanks for the tip, that option was not enabled.

About a minute after enabling the option it started working!
I hope this solves the issue for good, otherwise I will write back to you.

Thank you for your help.
Shutdown the tunnel and restart it. Is the rule still present ?

If not, activate it via the Custom Rules menu instead there is a bug lurking in this version.
I tried restarting the tunnel - the Firewall rule got disabled with the tunnel, then got enabled again together with the tunnel.

However, it stopped working again a while later - the rule had disappeared from iptables even though it still showed as enabled in the UI.

I then set your custom rule, which seems to have stuck until now. :)

It would definitely be great to look into the weirdness there.

Thanks again for your help!
I have already reported this bug.