Not route from lan to VPN IPSEC but yes from remote host

NETWORKING SOLUTIONS
1

Hi, I did a VPN IPSEC between Teltonika RUT206 to Watchguard.
The VPN Tunnel is established, and I can do ping from PC behind my firewall to PC connected to router, but not reverse.
This is my network diagram:

Diagrama sin título.drawio
Diagrama sin título.drawio660×269 19.4 KB

And the Teltonika configuration

Captura de pantalla 2025-03-26 125233
Captura de pantalla 2025-03-26 125233552×683 18 KB

Captura de pantalla 2025-03-26 125135
Captura de pantalla 2025-03-26 125135997×571 19.7 KB

Captura de pantalla 2025-03-26 125053
Captura de pantalla 2025-03-26 125053574×458 14.2 KB

If I do a tracert from PC EXT to PC PLATE, stops on router:

Captura(1)
Captura(1)797×160 3.55 KB

I’ve been here for many days and I can’t find the problem. Thank you!

2

Hello,

Retry after removing 10.1.0.0/24 from the Passthrough subnet list and restarting the tunnel.
It it still fails execute:

iptables -n -L  | grep -i ipsec

and post the output.

Regards,

3

Thanks for the reply!

removing passthrough doesn’t work, this is the iptables result:

root@RUT206:~# iptables -n -L | grep -i ipsec                                                          
zone_wan_dest_ACCEPT  all  --  10.1.0.0/24          172.16.50.6          policy match dir out pol ipsec
 proto 50 /* !fw3: Forward-olot-out */                                                                 
zone_lan_dest_ACCEPT  esp  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */   
zone_lan_dest_ACCEPT  all  --  172.16.50.6          10.1.0.0/24          policy match dir in pol ipsec 
proto 50 /* !fw3: Forward-olot-in */                                                                   
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec /* !fw3: Al
low-IPsec-Forward */                                                                                   
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPsec-ESP */              
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500 /* !fw3: Allow-IPsec-NAT-T *
/                                                                                                      
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-IPsec-IKE */  
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec /* !fw3: Al
low-IPsec-Input */                                                                                     
zone_wan_dest_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec
 /* !fw3: Allow-IPsec-Output */
4

The iptables contents looks correct.
Could you do the following test:
from 172.16.50.6 start a ping 10.1.0.15 and let it run
from 10.1.0.15 ping 172.16.50.6
Does that work ?

5

Hello @WillITAdmin,

Could you please confirm if your issue has been resolved or if you still require assistance?

Best regards,

7

I left the ping from 172.16.50.6 to 10.1.0.15 (work) and simultaneously did ping from 10.1.0.15 to 172.16.50.6 and didn’t work.

The solution was this:
I solved it by modifying a rule on our inbound firewall. I had only allowed inbound traffic. In the same rule, I also allowed outbound traffic from that server, and it worked.
Thank you very much.

8

Good to hear that you’ve resolved the issue!

Please feel free to reach out on the forum if you need any assistance with anything else.

Best regards,

9

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.