Hi there,
I am in the process of setting up an IPSec Tunnel from a RUTX50 to our PA-820.
The tunnel-connection itself works good but for some reason the RUTX50 has issues with routing the traffic correctly.
Scenario:
Internal IP-Range: 10.0.0.0/8
Local IP Range for the LAN behind the RUTX50: 10.1.237.240/28
I created an additional LAN(lanipsec), which is connected to eth0 for that local LAN, the Wifi-Clients should still be routed directly out the WAN-Port without going in the tunnel, so I left the default LAN as is and left the WIFI-SSIDs mapped to the default LAN.
Now here comes the issue:
When I enable the IPSec Tunnel and then after that enable lanipsec, everything works and a client connected to a LAN-Port can communicate over the IPSec-Tunnnel.
As soon as I restart the IPSec-Tunnel or reboot the router, I get no response.
Even if I backup the configuration while the IPSec-Tunnel is working and later on restore that same config, it does not work.
I already found a difference in routing:
While the tunnel works, there are only these routes:
default via 192.168.99.254 dev eth1 proto static src 192.168.99.64 metric 1
10.1.237.240/28 dev eth0 proto kernel scope link src 10.1.237.253
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.99.0/24 dev eth1 proto static scope link metric 1
When it no longer works the following route gets added to table 220:
10.0.0.0/8 via 192.168.99.254 dev eth1 proto static src 10.1.237.253
I have read that force encapsulation could resolve some problems, enabling it does not help.
When I only add the 10.1.5.0/24 Subnet as Remote Subnet in IPSec-Config, I can reach a device in that subnet, even though the following route gets added to table 220:
10.1.5.0/24 via 192.168.99.254 dev eth1 proto static src 10.1.237.253
It seems that the router does not prioritize the directly connected, more specific /28 route over the /8-Route. How would I go about fixing this?
I am currently having a very similar problem. When the IPSec tunnel is UP, local routing stops working. From the IPSec peer side I can connect to the local LAN interface address, but not directly from the local LAN…
Hi, make sure to exclude your local LAN from local IPsec traffic selectors, otherwise IPsec service will “think” that the subnet you’re trying to reach is on the other (remote) side and you won’t be able to connect to the router via its LAN IP while IPsec tunnel is up.
This feature is called “passthrough” - you can specify passthrough per interface or subnet.
In simple terms, this feature tells the router to stop trying to reach your router LAN subnet via IPsec tunnel. Regarding why it works this way - this is the intended behavior. Routing rules and routing tables are two different entities in Linux-based OS. Routing rules will always be looked up first and only then a packet routing decision shall be made according to best match in the routing table.
Thanks, IPSec Passthrough made it work.
Another Issue I now have is that when adding multiple remote subnets to the tunnel, only the first one gets added to table 220, even though I am using IKEv2.
Since we are using multiple private subnets, would like to add them seperately as routes while still being able to reach the internet directly via wan.
A 0.0.0.0/0 default route would work for the remote internal subnets, but the internet traffic would then be fully routed through the ipsec tunnel.
Try to enable “Compatibility mode” option for IPsec instance configuration, in advanced settings subsection. This should force both ends to create separate security associations for each subnet.
I am unable to get a tunnel connection with compatibility mode enabled.
With it enabled I get these log entries:
Tue Apr 23 08:57:53 2024 daemon.info ipsec: 10[CHD] <IPsec_PA-IPsec_PA_c|1> updown: uci: Entry not found
Tue Apr 23 08:57:53 2024 daemon.info ipsec: 10[CHD] <IPsec_PA-IPsec_PA_c|1> updown: sh: out of range
With a CHILD_SA closed shortly after.
Without compatibility-mode i dont get these errors, but I get updown: iptables v1.8.7 (legacy): Bad IP address “”. The tunnel works though.
Strange, I believe these logs don’t indicate IPsec configuration problem, but rather an issue with internal configuration file not being loaded properly. It seems that strongSwan daemon throws some errors when compatibility mode is enabled. Unfortunately, I don’t have Teltonika device to test, but I wonder if things would work with different firmware version.
Perhaps you could post some extra information here please:
IPsec config file details (at /etc/config/ipsec), make sure to remove PSK, public IPs and any other sensitive data
output of ipsec statusall command when tunnel is up without compatibility mode enabled
output of /tmp/ipsec/ipsec.conf (not sure if directory of this file is still the same, but it should contain majority of IPsec configuration options which are read by strongSwan daemon upon service initialization)
which firmware version is your RUTX50 running right now?
