FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
+1 vote
161 views 3 comments
by anonymous
Hello,

I have a problem with RUTX50 & RUTX_R_00.07.04.1 and IPSec tunnel. Local subnet is 192.168.140.0/24 and remote subnet is 0.0.0.0/0 (ANY). Remote firewall is XG Sophos.

After creating an IPSEC tunnel dies LAN interface. Ethernet link is up but I can't ping or WebGUI access LAN interface. But from remote side of IPSec tunnel (XG Sophos) ping and WebGUI working fine.

I found a solution. In IPSEC TUNNEL CONFIGURATION > Advanced settings I set "Passthrough interfaces: lan" and LAN interface came alive again. Is this the correct setting? I do not think that it should behave like this.

1 Answer

0 votes
by anonymous

Hello,

Your solution is correct.

What likely happens, when remote subnet is set to 0.0.0.0/0, is that any packet entering RUT's LAN is immediately encapsulated with IPsec headers and attempted to forward through the IPsec tunnel.

This is resolved, when LAN is set as a passthrough interface.

Alternatively, in RUT IPsec configuration you could simply enable Default route option. This should also equivalent to 0.0.0.0/0 as a remote subnet and LAN set as passthrough interface.

Best regards,

Best answer
by anonymous
Hello,

Thank you for answer. But it is very special behavior to influence anything in L2 (/24 LAN) that uses only ARP without any routing via L3 interface because the locally connected network is more priority than 0.0.0.0/0 and no routing occurs. So there should be no encapsulation to IPSec.
by anonymous
That would be an intuitive way to think.

Unfortunately, I cannot comment on the exact mechanism of the behavior caused by settings 0.0.0.0/0 as a remote network. It is just an assumption. I just wanted to inform that your solution is right and approved by the developers. Passthrough interface option was included due to other clients encountering your issue a few years ago.

Best regards,
by anonymous
OK I understand.

Best regards