IPSEC VPN instances


I have difficulty in distinguishing between two VPN tunnels on the Teltonika side.
in the cli I cant view the virtual interface for each tunnel

I have difficulty to differentiating between the two VPN tunnels on the Teltonika side.
When pinging from the Teltonika LAN side to the FortiGate, I observe that the ping request travels through the first VPN tunnel, but the reply comes back through the second tunnel,
leading to the Teltonika device discarding the ICMP reply.

Any advices,
I doubt the asymetric routing


Yes, you are correct, that is because of the asymmetric!
To avoid Fortigate pushing into a different tunnel, check please that the cost/priority depends on what type of routing you use for the tunnel interface, where from ping comes, there should be lower cost/priority.

Here is additional information about asymmetric routing:
How to Find & Fix Asymmetric Routing Issues | Auvik
Symmetric and Asymmetric Routing — With Example | by Muhammad Haris Maqsood | Medium

Best Regards

Hello ,
Thank you for your time,
I have one question , why on the teltonika CLI I can’t see the virtual interface for each ipsec vpn.

Best Regards


My apologies, I missed that one question.
If I correctly understood you, you meant interface as other interfaces such as WAN or LAN GR, VPN interfaces, “ifconfig” – command allows you to list almost all VPN interfaces except IPsec, as it does not create, a virtual interface by default because technically it’s not a VPN, it just encrypts the data and sends it normally, as far as I know, there is no implementation by default of IPsec daemon to list ephemeral ipsec tunnel as interfaces, so you can use the command to check status from CLI “ipsec status” and “logread -f | grep ipsec” – to continuously debug from logs.

Best Regards,

Thank you for your clarification,

For the asymetric routing is there any solution to be done Teltonika side,
I tried to implement static routing to priorities one tunnel to the other, but I cannot specify the exit tunnel interface.

The two tunnel have the same encryptions domains in the two sides

Thank you


It can`t be changed on the Teltonika router, because there is no option to disable asymmetric routing.
You can try to send routes with less specific subnet mask, and check if anything changes, if nothing changes, next thing you can set it to disable asymmetric routing on the Fortigate device, and an additional cost should be the same on the booth side for one tunnel.
For example:
FG-tunel1 ↔ RUTtunel1, interfaces with cost 1
FG-tunel2 ↔ RUTtunel2, interfaces with cost 30
That allows to align of tunnel distance between devices and sends a packet in the appropriate tunnel!

Best Regards

This topic was automatically closed after 15 days. New replies are no longer allowed.