The following scenario:
I want to connect 2 RUTX12 using IPsec VPN and be able to ping end devices that are running behind the VPN on both sides of the tunnel. It is important that the same subnet is running on both sides. I have already set up the IPsec tunnel and can also ping the virtual IP of the other side. What is not possible is pinging devices in the subnet behind it.
I’ve tried a lot now, but I can’t reach the other devices in the same subnet. I hope someone can help me here. I think it must be on the firewall somewhere.
But i need all devices that have a 192.168.42.0/24 IP talk to each other.
Is this possible, without typing 192.168.200.118/192.168.100.85?
The devices behind them are microphone stations for television productions and these have a fixed IP over which their network is set up. I can’t switch them like that.
No. You can have the same IP address on both side how do you distinguish the two ? One is local the other remote the system will not have any way to know how to route the packets.
If you can, subdivide your 192.168.42.0/24 network in 192.168.42.0/25 and 192.168.42.128/25 you may have to reassign IP addresses then you can get rid of the 192.168.100.0/24 and 192.168.200.0/24 networks and all the NETMAP logic.
I have now divided the nets on both sides into /25 and deleted the custom rules.
Server:
192.168.42.0/25
Client;
192.168.42.128/25
The VPN is working and the routers can ping each other. What still doesn’t work is pinging the end devices.
The strange thing is, that i can’t ping the newly assigned IP .130 on the client side. Does a Teltonika Router not regognize a /25 net with .128-.256 IPs?
Which firewall rules do i need so that the end devices can talk to each other? I think, i only need 2 traffic rules (VPN-WAN/WAN-VPN) or?
Hmm. What are those rules ? You shouldn’t have to do that.
On the router on one side do a tcpdump -i any -n -v icmp and from the other side a ping of a remote device. What is the output of tcpdump ?
I am confused. What are the lan addresses of the routers ?
What is the default route on the lan devices on both sides ?
Could you disable the NAT rules and retry the ping / tcpdump ?
What is the 192.168.42.128 device ? Shouldn’t that be 192.0168.42.129 or some other value between 129 and 254 ?
In the IPSEC config, have you set “Route based IPsec” ?
If not set, what are the values of “Local subnet” and “Remote subnet” for both sides ?
If set, what is the value of “IP address” idem both sides ?
For testing, be sure to disable “Local firewall” and “Remote firewall”.
IPsec configuration has several subtleties it is easy to mess things maybe you could consider using Wireguard instead the configuration is straightforward and performance is much better.
LAN Adresses: Server: 192.168.42.1/25 === Client: 192.168.42.128/25 (VLAN 3600)
Default Routes: there are no rules in routing
The output above is without active NAT rule
.128 is the client router IP and devices behind it have .129-.254
Route based IPsec is not active
Server: local subnet/remote subnet: 192.168.42.0/25 / 192.168.42.128/25
Client: local subnet/remote subnet: 192.168.42.128/25 / 192.168.42.0/25
7.disabling the firewall has no effect, i can’t ping devices behind routers
This is the address of the subnetwork (/25), you should avoid it. Use .129 instead for the router itself.
This is the default route on the lan devices themselves. 192.168.42.1 on the server side and 192.168.42.129 on the client side.
Retry the ping / tcpdump.
I dont know where the .128 is coming form. LAN IP is .129.
In IPsec setup and NAT i used the complete subnets (192.168.42.128/25). Thats the only place where its coming from.
The Laptop address is 192.168.42.140/25 and its plugged in to the client side router. (192.168.42.128/25)
With “the other side” i mean pinging devices on the server side with that laptop.