IPsec NAT to allow LAN to LAN connections

Hi,

I have a Sophos XGS and an RUT950 running RUT9_R_00.07.02.1

I need to initialise an IPSEC tunnel between the devices so that users on the Sophos can access devices on the RUT LAN.

Sophos LAN 10.254.254.0/24
RUT LAN: 192.168.8.0/24

SO far I can bring up the IPSEC just fin, I can ping the RUT from the Sophos and SSH into the RUT from the Sophos over the vpn. The problem is accessing anything on the LAN side of the RUT form the Sophos and I am sure my issue is NAT I just don’t know how to solve it. Here are some tcpdumps. I have a LAN host 192.168.8.155 which I am using for testing. I can ping this device from the RUT:

root@ssgb20:~# ping 192.168.8.155
PING 192.168.8.155 (192.168.8.155): 56 data bytes
64 bytes from 192.168.8.155: seq=0 ttl=64 time=2.034 ms
64 bytes from 192.168.8.155: seq=1 ttl=64 time=1.897 ms
64 bytes from 192.168.8.155: seq=2 ttl=64 time=1.898 ms

When I do this I can see the packets on a tcpdump on the br-lan interface:

root@ssgb20:~# tcpdump -i br-lan host 192.168.8.155 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
16:31:33.629633 IP 192.168.8.1 > 192.168.8.155: ICMP echo request, id 15771, seq 0, length 64
16:31:33.629959 IP 192.168.8.155 > 192.168.8.1: ICMP echo reply, id 15771, seq 0, length 64
16:31:34.631799 IP 192.168.8.1 > 192.168.8.155: ICMP echo request, id 15771, seq 1, length 64
16:31:34.632040 IP 192.168.8.155 > 192.168.8.1: ICMP echo reply, id 15771, seq 1, length 64
16:31:35.632239 IP 192.168.8.1 > 192.168.8.155: ICMP echo request, id 15771, seq 2, length 64
16:31:35.632502 IP 192.168.8.155 > 192.168.8.1: ICMP echo reply, id 15771, seq 2, length 64

When I ping from the Sophos here is what I see in the tcpdump on the wwan and then the br-lan. This one is showing the icmp comming in from the Sophos it then seems to get NAT’d to the WAN IP which seems like the problem:

root@ssgb20:~# tcpdump -iwwan0 host 192.168.8.155 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wwan0, link-type RAW (Raw IP), capture size 262144 bytes
16:33:26.091726 IP 10.254.254.1 > 192.168.8.155: ICMP echo request, id 51254, seq 1550, length 64
16:33:26.092221 IP 59.XXX.XXX.XXX > 192.168.8.155: ICMP echo request, id 51254, seq 1550, length 64
16:33:27.051466 IP 10.254.254.1 > 192.168.8.155: ICMP echo request, id 51254, seq 1551, length 64
16:33:27.051933 IP 59.XXX.XXX.203 > 192.168.8.155: ICMP echo request, id 51254, seq 1551, length 64
16:33:28.091591 IP 10.254.254.1 > 192.168.8.155: ICMP echo request, id 51254, seq 1552, length 64
16:33:28.092068 IP 59.XXX.XXX.203 > 192.168.8.155: ICMP echo request, id 51254, seq 1552, length 64

And just for fun this is what I then see on the LAN side:

root@ssgb20:~# tcpdump -i br-lan host 192.168.8.155 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

So it seems like the incoming traffic over the IPSEC gets NAT’d as it comes into the RUT but then the RUT doesn’t allow that traffic into the LAN becuse it looks like its comming from the WAN interface of the RUT not the Sophos/IPSEC.

Finally here is what it looks like on the Sophos side:

XGS3100_RL01_SFOS 19.5.3 MR-3-Build652 HA-Primary# ping 192.168.8.155
PING 192.168.8.155 (192.168.8.155): 56 data bytes
^C
— 192.168.8.155 ping statistics —
1741 packets transmitted, 0 packets received, 100% packet loss

XGS3100_RL01_SFOS 19.5.3 MR-3-Build652 HA-Primary# ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1): 56 data bytes
64 bytes from 192.168.8.1: seq=0 ttl=64 time=187.121 ms
64 bytes from 192.168.8.1: seq=1 ttl=64 time=147.173 ms
^C
— 192.168.8.1 ping statistics —
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max = 147.173/167.147/187.121 ms
XGS3100_RL01_SFOS 19.5.3 MR-3-Build652 HA-Primary#

I’m new to Teltonika and I am sure there is a simple solution but I have been banging my head against this all day and would love some input if anyone knows how to fix it.

Hello,

I can see that you were running firmware RUT9_R_00.07.02.1. I would recommend upgrading it to the latest version (RUT9_R_00.07.05.4) without keeping settings to make sure that no previously bugs will occur.

To do this, go to RUT950 wiki page -https://wiki.teltonika-networks.com/view/RUT950_Firmware_Downloadsm
Then download the latest firmware version.

In the RUT950, Navigate to System → Firmware → Upgrade Firmware. Then disable the keep settings, then proceed on uploading the downloaded firmware.

After the update procees is done, kindly configure the IPsec again based on your Sophos configuration.

I did a brief test on my side using the latest firmware; after establishing the Ipsec tunnel, no need to touch anything on the firewall or NAT rules side, since the entire LAN subnet has been configured already.

Note that on the Sophos XGS side, make sure that that remote subnet is configured for the entire LAN network of the RUT950 (192.168.8.0/24).

Hope this helps.

Best regards,
Robert

This topic was automatically closed after 15 days. New replies are no longer allowed.