WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

IPSEC tunnel up but traffic not flowing

0 votes
1,026 views 14 comments
by anonymous

Hi I am trying to establish IPSEC VPN from RUT950 to Azure VPN GW. Firmware version is RUT9XX_R_00.06.09.2.
IPSEC tunnel is up (see ipsec statusall output below) but traffic is not flowing from LAN to remote network.

I can ping Router LAN IP and even WAN IP from local machines but I can't reach remote (right) location.
Any ideas, please?

root@Teltonika-RUT950:~# ipsec statusall                                                               

Status of IKE charon daemon (weakSwan 5.8.4, Linux 3.18.44, mips):                                     

  uptime: 17 hours, since Mar 02 21:30:19 2023                                                         

  malloc: sbrk 167936, mmap 0, used 143504, free 24432                                                 

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6                     

  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1

 pkcs8 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke up

down vici xauth-generic                                                                                

Listening IP addresses:                                                                                 

  103.xxx.xxx.xxx                                                                                       

  192.168.71.1                                                                                          

Connections:                                                                                           

    Client2:  %any...20.xxx.xxx.xxx  IKEv2                                                             

    Client2:   local:  uses pre-shared key authentication                                             

    Client2:   remote: [20.xxx.xxx.xxx] uses pre-shared key authentication                             

    Client2:   child:  192.168.71.0/29 === 10.xxx.xxx.109/32 10.xxx.xxx.235/32 10.xxx.xxx.135/32 10.xxx.xxx.237/32 10.xxx.xxx.116/32 TUNNEL                                                                             

Security Associations (1 up, 0 connecting):                                                            

    Client2[525]: ESTABLISHED 17 minutes ago, 103.xxx.xxx.xxx[103.xxx.xxx.xxx]...20.xxx.xxx.xxx[20.xxx.xxx.xxx]                                                                                                   

    Client2[525]: IKEv2 SPIs: 1d447cf4216d280e_i 39a35dc0360fd8c0_r*, pre-shared key reauthentication i

n 7 hours                                                                                              

    Client2[525]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048              

    Client2{7}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc9b0d36_i 0abfeb76_o                          

    Client2{7}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours             

    Client2{7}:   192.168.71.0/29 === 10.xxx.xxx.109/32 10.xxx.xxx.116/32 10.xxx.xxx.135/32 10.xxx.xxx.235/32 10.xxx.xxx.237/32                                              

by anonymous
1) your local PC has right ip/mask? [192.168.71.2 ... 192.168.71.6] /29

2) Local pc gateway is: 192.168.71.1?

3) Your router has NAT rule what exclude ipsec traffic from generic LAN masquerade via WAN interface?

4) Any firewall on remote Azure part are set to allow traffic from your local subnet?

5) Via ipsec tunnel only 5 remote hosts are defined. Are their local firewalls are set up to correctly (like respond to ping from non-local subnets)?
by anonymous
Thans Voljka.
1) and 2) are correct 4) and 5) are also correct.

Can you please tell me how to configure properly 3)?
by anonymous

This is from firewall/NAT Rules:

by anonymous

Hi, thanks. I have got newer GUI on my RUT950. Can you look into this and check if this is proper?

I would like to allow IPSEC traffic from one host only first for test purposes that's why there is on source address only.
I would like also to have possibility to allow this host to communicate to the Internet using standard WAN interface to the Internet. How can I achieve that, pleasE?

 

by anonymous
This rule looks ok. I think 71.2 will have full Internet access. Only traffic to Azure hosts will be intercepted by ipsec, based on source/destintion ip policy.

Any data send to non-matched destinations, will pass free to Internet.

P.S. I really hope, what you have local access to router from lan. Because I can be wrong :)
by anonymous
Hi thanks a lot! I ensured local access, that's why I am testing on single host :) thank you for your support, unfortunatelly it still doesn't work. Traffic is out to the gateway but not transmitted throuhg IPSEC. I need to contact Azure side admin to check.

Thanks a lot!
by anonymous

Traffic is out to the gateway but not transmitted throuhg IPSEC

So, your counters are zero all the time? Even if you ping remote host, input counter does not grow?

Client2{7}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours 

 

by anonymous

Even if there is no reply coming from the Azure side outgoing packets should be visible in the counters, as Volijka mentioned above.

What is the output of:

iptables -t nat -n -L | grep policy | grep ipsec

If it is empty execute manually:

iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
and retest the tunnel.
by anonymous
There is some bytes out and increasing when pinging from local machine.

0 bytes_i, 388233 bytes_0

No traffic in. So, apologies, and thank you for your support but it seems that there is issue on Azure GW side. Please correct me if I am mistaken.
by anonymous
So the output policy rule is present and must be correct. The  issue is probably at the other end.

1 Answer

0 votes
by anonymous

Hello,

Is there any particular reason, why you use legacy firmware? Do you have a legacy hardware design device? 

Other than that, I would like you to attach a troubleshoot file to your question. Please, replicate the issue, then access router's WebUI, go to System -> Administration -> Troubleshoot section and download troubleshoot file from there. The logs in the file might provide more insight into the issue.

Attached files are private and visible only to Teltonika Moderators.

Best regards,

by anonymous

Hi, yes, I have got legacy HW which is supporting on up to ver. R_00.06.09.2

I have configured IPSEC NAT rule as described above by Voljka, but still traffic not going to tunnel.

Attaching troubleshoot file. I appreciate your help.

by anonymous
Sorry, I forgot to attach file. But I can't see such option in comments. How can I attach it?
by anonymous
Please edit your original question or send it in a private message.
by anonymous
Knowing some server configuration details (identifiers, phase proposals would be helpful as well).