We have a RUT955 which we use as a VPN concentrator. The LAN of the Teltonika is 192.168.250.0/24 and we have a connected OpenVPN client connected to our office network. In the 192.168.250.0/24, everything is accessible from our office network.
We also have 5 IPSEC towards the RUT955. Each IPSEC is a /28 network in the 192.168.251.0 range (192.168.251.0, 192.168.251.8, …).
The RUT955 can access the individual 192.168.251.0 networks fine, but we’re having trouble setting up a static route or the correct settings to make the 192.168.251.0 range accessible from the office network.
We created a static route saying 192.168.251.0 is reachable through the LAN IP address of the RUT955. We also played around with NAT, but to no avail.
A tcpdump is showing the ping requests are reaching the RUT955 with an unknown source IP for the 192.168.251.0 network. We have Masquerading be checked for OpenVPN firewall.
Anyone have any recommendations or similar experience? The RUT955 is running FW6.9.5.
While I have not tested this, could you check the following:
Enable forwarding in Network → Firewall settings from OpenVPN zone to WAN zone (IPSec uses WAN zone).
In IPSec settings, try adding OpenVPN subnet as an additional local subnet, so that you have LAN subnet and OpenVPN subnet as local subnets. Ensure that that the IPSec configuration on the other end of IPSec channel reflects these changes.
I edited the Firewall settings, but no change.
I am not able to add the OpenVPN subnet to the IPSEC yet, as that range is unavailable for me still… I will need to wait for someone onsite to give me remote access.
Ensure that you include those networks in IPSec, especially the one you’re NATing from your OpenVPN subnet. If you are not sure about the IP address to which OpenVPN is NATed, install and run TCPdump on RUT using the command: opkg install tcpdump and tcpdump -i wwan0 icmp (eth1 if using wired WAN). Then ping from OpenVPN client.
Given that RUT955 acts as the OpenVPN server, ensure you ‘push’ the IPSec networks to your OpenVPN clients (for example, push 192.168.251.0 255.255.255.240). This lets them know they can access that network via OpenVPN.
Hi AndzejJ, we edited the IPSEC tunnel on the RUT955 to include the subnet of the OpenVPN tunnel and this did the trick. The RUT955 is acting as an OpenVPN client, not the server in our setup.