RMS VPN with 2 sites does'nt work,

Hi.

we have 2 sites with RUT950 and RUT241. Let us name it Site M1 and M2.
Both sites are connected via WAN to RMS, an the connection to RMS works fine.

We created an VPN-Hub, and the correct routing entries:
Network Site M1: 192.168.250.0 /24
Network Site M2: 192.168.251.0 /24

Testing from client vpn to reach (ping) one device on network M1 - success!
Testing from client vpn to reach (ping) one device on network M2 - success!

But now the issue if we try to reach one device FROM network M1 → Network M2 it doesn’t work answer. The same if we try to reach one device FROM Network M2 → Network M1 no answer!

We are following exactly the steps:
https://wiki.teltonika-networks.com/view/RMS_VPN_Hubs

And:

• upgraded to the last FW of both device types (mass production)
• deleting the VPN settings in both devices.
• rebooting both devices
• “upgrade configuration an device settings” in both devices.
• creating manual routing entries to reach each other.
• In VPN Hub, set the Rut from Site M1 and M2 to static ip. because the IP of device M1 in vpn hub is getting for example the ip: 192.168.255.10, but the routing entry in routing table of rut M1 is 192.168.255.9 (so it is in every case th IP +1) on the other site it is the same.

Nothing helps to get the routing from Site M1 to M2 work.

Who one could help??

Thank you!

Hello,

I assume LAN forwarding is enabled for both devices in RMS VPN Hub → routes page? Also, the routes are added:

• 192.168.250.0 255.255.255.0 via M1_router
• 192.168.251.0 255.255.255.0 via M2_router

If these are added, try naviagating to clients tab and pressing on the button to update configurations and certificates:

Kind Regards,

Hi,

both checked.

routes are visible in Status page.
“update configuration” in rms VPN hub, pressed.

any further ideas`?

Hello,

Please, connect to one of the device via CLI/SSH with username ‘root’, execute the following commnads to check routes, and share those here.

route -n
ip r show

Kind Regards,

M1: RUT:
___:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.178.1 0.0.0.0 UG 1 0 0 eth1
192.168.178.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
192.168.250.0 0.0.0.0 255.255.255.0 U 5 0 0 br-lan
192.168.251.0 192.168.255.5 255.255.255.0 UG 0 0 0 tun_c_rms_ganw2
192.168.255.0 192.168.255.5 255.255.255.0 UG 0 0 0 tun_c_rms_ganw2
192.168.255.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun_c_rms_ganw2

M2: RUT:
___:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.178.1 0.0.0.0 UG 1 0 0 eth0.2
192.168.178.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0.2
192.168.250.0 192.168.255.13 255.255.255.0 UG 0 0 0 tun_c_rms_ganw2
192.168.251.0 0.0.0.0 255.255.255.0 U 4 0 0 br-lan
192.168.255.0 192.168.255.13 255.255.255.0 UG 0 0 0 tun_c_rms_ganw2
192.168.255.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun_c_rms_ganw2

M1: RUT:
___:~# ip r show
default via 192.168.178.1 dev eth1 proto static src 192.168.178.180 metric 1
192.168.178.0/24 dev eth1 proto static scope link metric 1
192.168.250.0/24 dev br-lan proto static scope link metric 5
192.168.251.0/24 via 192.168.255.5 dev tun_c_rms_ganw2
192.168.255.0/24 via 192.168.255.5 dev tun_c_rms_ganw2
192.168.255.5 dev tun_c_rms_ganw2 proto kernel scope link src 192.168.255.6

M2: RUT:
___:~# ip r show
default via 192.168.178.1 dev eth0.2 proto static src 192.168.178.30 metric 1
192.168.178.0/24 dev eth0.2 proto static scope link metric 1
192.168.250.0/24 via 192.168.255.13 dev tun_c_rms_ganw2
192.168.251.0/24 dev br-lan proto static scope link metric 4
192.168.255.0/24 via 192.168.255.13 dev tun_c_rms_ganw2
192.168.255.13 dev tun_c_rms_ganw2 proto kernel scope link src 192.168.255.14

Hello,

The routes are there, so the router should know where to route the packets.

Could you check if the routers themselves can ping each other via their LAN IP? You can ping from WebUI by navigating to System → Administration → Troubleshoot.

Also, you can try enabling masquerading on LAN => WAN zone in Network → Firewall. This way, the packets will appear on the end devices as if they are coming from the their router in LAN.

Let me know how it goes.

Kind Regards,

Hi Andzej,

nice results?!
Ping From M1 to device behind M2:
PING 192.168.251.13 (192.168.251.13): 56 data bytes
64 bytes from 192.168.251.13: seq=0 ttl=63 time=12.972 ms
64 bytes from 192.168.251.13: seq=1 ttl=63 time=16.180 ms
64 bytes from 192.168.251.13: seq=2 ttl=63 time=20.187 ms
64 bytes from 192.168.251.13: seq=3 ttl=63 time=14.337 ms

— 192.168.251.13 ping statistics —
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 12.972/15.919/20.187 ms

next try:
PING 192.168.251.13 (192.168.251.13): 56 data bytes
64 bytes from 192.168.251.13: seq=0 ttl=63 time=14.335 ms
64 bytes from 192.168.251.13: seq=1 ttl=63 time=17.001 ms
64 bytes from 192.168.251.13: seq=2 ttl=63 time=20.959 ms
64 bytes from 192.168.251.13: seq=3 ttl=63 time=15.084 ms
64 bytes from 192.168.251.13: seq=4 ttl=63 time=18.949 ms

— 192.168.251.13 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 14.335/17.265/20.959 ms

from the other side: M2 to one device behind M1:
PING 192.168.250.120 (192.168.250.120): 56 data bytes
64 bytes from 192.168.250.120: seq=0 ttl=127 time=25.015 ms
64 bytes from 192.168.250.120: seq=1 ttl=127 time=18.715 ms
64 bytes from 192.168.250.120: seq=2 ttl=127 time=22.645 ms
64 bytes from 192.168.250.120: seq=3 ttl=127 time=26.660 ms
64 bytes from 192.168.250.120: seq=4 ttl=127 time=21.156 ms

— 192.168.250.120 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.715/22.838/26.660 ms

Masquerading doesn’t change anything…

But ping from Site M1-Router to one device behind M2 works,
also ping from M2 Router to one device behind M1 works fine.

What could the reason be, that Routing from one device on Site M1 to the RUT M2 doesn’t work?
We’ve checked the Gateway settings in client computer, ok.
Maybe the gateway metric Value “4” ? Is the priority to low??

Hi Andzej,

did you have some further idea’s?
let us compare

Ping from M1-router to device behind M2 works fine.
Ping from M2-router to device behind M1 works also.

But Ping from devices behind M1 to device behind M2 does not work.

Hello,

It seems that the end devices do not know where to route packets destined for the other network (or routed it to a wrong gateway that does not know how to reach that network). It might be a priority as you mentioned. On the end device, either set the interface metric to RUT as the lowest one, or try adding a route on the end device. For example, if the device is in the 192.168.250.0/24 network (M1), add route to 192.168.251.0 (M2) via LAN IP of RUT.

Kind Regards,

Both entries in M1 and M2 metric changed to “1”
nothing changed.

Routing table of M1:

Routing table of M2:

IPV4-ROUTES

Hello,

I meant the end devices that are behind routers, not routers themselves. Because it seems that the issue is when you are trying to reach the other network from the device in LAN.

You can do the following on M1-Router:

# install TCPdump
opkg update
opkg install tcpdump
# run tcpdump to monitor pings on LAN:
tcpdump -i br-lan icmp

Now, while TCPDump is running, from the device behind this M1-Router, try pinging M2 network. Do you see pings arriving on LAN interface of M1-Router? What does TCPdump show?

Kind Regards,

root@Teltonika-RUT950:~# tcpdump -i br-lan icmp
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
13:49:23.890168 IP 192.168.250.120 > 192.168.251.13: ICMP echo request, id 1, seq 14258, length 72
13:49:23.890396 IP Teltonika-RUT950com > 192.168.250.120: ICMP time exceeded in-transit, length 100
13:49:23.891465 IP 192.168.250.120 > 192.168.251.13: ICMP echo request, id 1, seq 14259, length 72
13:49:23.891674 IP Teltonika-RUT950com > 192.168.250.120: ICMP time exceeded in-transit, length 100
13:49:23.892302 IP 192.168.250.120 > 192.168.251.13: ICMP echo request, id 1, seq 14260, length 72
13:49:23.892525 IP Teltonika-RUT950com > 192.168.250.120: ICMP time exceeded in-transit, length 100
13:49:23.898582 IP Teltonika-RUT950com > 192.168.250.120: ICMP Teltonika-RUT950com udp port 137 unreachable, length 86
13:49:25.417821 IP Teltonika-RUT950com > 192.168.250.120: ICMP Teltonika-RUT950com udp port 137 unreachable, length 86
13:49:26.924040 IP Teltonika-RUT950com > 192.168.250.120: ICMP Teltonika-RUT950com udp port 137 unreachable, length 86
13:49:29.439569 IP 192.168.250.120 > 192.168.251.13: ICMP echo request, id 1, seq 14261, length 72
13:49:29.439860 IP Teltonika-RUT950com > 192.168.250.120: ICMP 192.168.251.13 protocol 1 port 49225 unreachable, length 100
13:49:29.451322 IP Teltonika-RUT950com > 192.168.250.120: ICMP Teltonika-RUT950com udp port 137 unreachable, length 86
13:49:30.951120 IP Teltonika-RUT950com > 192.168.250.120: ICMP Teltonika-RUT950com udp port 137 unreachable, length 86
13:49:32.486229 IP Teltonika-RUT950com > 192.168.250.120: ICMP Teltonika-RUT950com udp port 137 unreachable, length 86

192.168.250.120: ICMP Teltonika-RUT950com udp port 137 unreachable

The router (on side M1) does not forward the packets trough the RMS-VPN-Hub ?!?

Hello,

It seems that there is something with the network (loop?) or the firewall as it shows exceeded TTL and unreachable ports (udp port 137? What devices are you using in LAN?).

Is it similar when you try to ping from the device in the other network?

Please, share the firewall settings on both RUT950s. Also, could you please draw a simple topology with IP addresses of how everything is connected?

Kind Regards,

Hi!
I have the exact same problem in this case:

Hello,

Are the routes in RMS VPN Hub configured appropriately? Is route to LAN1 is actually via RUT1, and LAN2 via RUT2?

Also, could you please try editing the RMS zone (rms_xxxx) and checking if it is configured to allow forward to / from LAN?

image897×690 28.7 KB

Kind Regards,

This topic was automatically closed after 15 days. New replies are no longer allowed.