FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
3,698 views 14 comments
by
I'm having trouble with traffic through IPSec between RUT240 and Fortigate. Tunnel is up, both p1 and p2 are correctly configured on both sides, policies and routing on Fortigate are properly set but I don't see a proper route on RUT240. Cannot ping, shh, http over the tunnel. Any suggestions?

2 Answers

0 votes
by anonymous

Hi,

Cannot ping, shh, http over the tunnel.

From which side? From RUT240 to Fortigate or vice versa?

by
Couldn't do anything in both directions. I did factory reset, reenter IPSec tunnel configuration (I believe in the same way as before) and suddenly communication started to work.

I've checked selectors as they seemed to be miss-entered previosuly (before factory reset) and on purpose I entered different mask on both ends in ph2. That broke the communication, next I entered the same mask on both ends and as a result communiction was restored. Thus I believe I miss-entered selectors during the initial configuration.

On the other thing I don't get the idea of a routing. Traffic that goes to tunnel is routed to wan interface rather than to ipsec interface. I'm not a linux guru, but IPSec should be a kind of subinterface of a WAN interface. Nevermind. All is up and running now.

Do you have any knowledge on VxLan over IPSec using RUT routers? Is there a chance to get one that supports it?
by anonymous

Do you have any knowledge on VxLan over IPSec using RUT routers? Is there a chance to get one that supports it?

Unfortunately our routers do not have such feature.

by anonymous
I have the same problem, tried factory reset but nothing resolved, i can see the tunnel UP but no traffic between the 2 devices, cannot even PING the LAN from the 2 devices
by
Have you checked routing table? Have you correctly set subnets on both sides?

Do you have single phase2 or multiple phases2?
0 votes
by
Have you checked routing table? Have you correctly set subnets on both sides?

Do you have single phase2 or multiple phases2?
by anonymous
Hi Krystian, i have a single Phase 2, the subnet on both sides are correct, on the routing table i dont know what to look for, i tried to set the route "to reach remote lan use RUT240 as gateway" but did not worked, another thing i might add is that on my Forti the tunnel is set as Custom, waiting for dial up Users, since on the RUT240 we are using Mobile connection
by
Here's what I did on FG:

- I set up ipsec tunnel between FG and RU240 - the tunnel was up

- I created two policies for the traffic from LAN (all) to IPSec (all) interface and from IPSec (all) to LAN (all)

- I added a static routing to the remote subnet on the IPSec interface I have created for that connection with ru240.

I don't think I did something special on ru240 - i don't have an access to this device at the moment so I'm unable to verify settings
by anonymous
On our FG we have set UP a Tunnel where i have 26 Phase 2 Selectors (that is what you were asking before about multiple phase 2?), 1 for each dial up from other Remote Cisco RV042/RV082, i've just created the Phase 2 Selector for the new connection with RUT240 inside this tunnel, on the RUT240 i've set up the Phase1 and 2 mirroring the FG, when i go to the FG IPsec Monitor i can see the new Selector is UP but the Incoming/Outgoing data keeps at 0, on the RUT240 i tried the Ping function to check communication, i was pinging the Remote GW Public IP = OK, Remote GW Lan IP = No response, RUT240 Lan is managed as an Object inside the FG, so it goes inside the rules created to manage the other 26 connections that are working fine
by
Please clarify one thing. You are not trying to configure site-to-site IPSec, aren't you? I wrote about site-to-site IPSec steps I have done. I'm not sure if you can use ru240 as a dialup router to connect over IPSec.
by anonymous
Actually i'm configuring that, some months ago, we were using a Palo Alto PA220 where we had each IPsec site to site configured with those Cisco RV042/RV082, a month ago we switched to a FortiGate, to manage all those ipsec tunnels we just created a Single one on the FG, but as a "Call Receiver" for all our tunnels, it's working fine, and by this way we had no need to re-configure all the RV042/RV082.

So basically i was trying to set up the RUT240 with a normal site-to-site IPSec Tunnel, as the other 26 devices are configured, since the tunnel goes up i think is ok, what i cannot understand is why the tunnel is UP but no data is passing through
by
So basically you have IPSec dialup configured for 26 routers and you want to add ipsec site-to-site to that config? Do I get it right?
by anonymous

No, i will try to explain better our Actual Situation:

  • 26 RV042/RV082 with a Gateway to Gateway tunnel ipsec configured, pointing to our FortiGate 201E
  • Fortigate Configured with a single IPSec Tunnel, Custom Type, setting up the remote User as "Dial Up User"
I was trying to set UP the RUT240 as our RV042/RV082 with a site-to-site tunnel IPSec pointing to our Fortigate
by
I think you can't do it that way. These are different types of tunnels. Create a new ipsec site-to-site for ru240 with steps like I wrote above unless ru240 has an ability to estabilish ipsec dialup connection.
by anonymous
RUT240 with mobile connection have no Public Static IP, is virtually impossible to establish a Site to Site with mobile connection
by
To create site-to-site ipsec between Fortigate and RUT240 with mobile connection, you can use dynamic dns client in RUT and register it in DNS. Then use it in Fortigate instead of IP address. It will take longer time to establish connection (up to few minutes, depends on when ddns will publish it) but then it works as normal ipsec tunnel with static IP. Still there are some scenarios when even this will not work but I think in big part of mobile networks it will work.