Hi,
i have a RUT 240 connected via IPsec to a third party router. I can connect to the remote RUT 240 via SSH
but every other traffic is not possible. Also i can’t connect to the Webgui of the RUT 240
How can i set this up so i can connect to devices behind the RUT240
Hello,
Are you specifying the whole LAN subnet of RUT241 in the IPSec configurations (local subnet)?
The firewall rules should be automatically generated to reach the LAN network. However, you may want to add another firewall rule to allow IPSec access to the device itself. For this, navigate to Network → Firewall → Traffic Rules and create a new rule at the bottom. To match IPSec traffic to the device, select WAN as the source zone, ‘Device (input)’ as the destination, and add the following to the ‘extra arguments’ field:
- -m policy --dir in --pol ipsec
Here’s a screenshot for reference:
Kind Regards,
Hello,
yes in the VPN Settings i defined the hole Subnet. this is a Screenshoot:
I added the Firewall Traffic rule but still not working
Thnak you
Hi,
Could you please share the output of the ‘ipsec statusall’ command? But please, blur sensitive information, such as public IP addresses, for security purposes.
Kind Regards,
root@Baustelle5:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.229, mips):
uptime: 27 minutes, since Jul 11 13:03:22 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink sock et-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
XXX.XXX.XXX.181
10.14.0.1
Connections:
RG_Zentr-RG_Zentr_c: %any...remote.domainname.eu IKEv1 Aggressive, dpddelay=30s
RG_Zentr-RG_Zentr_c: local: [10.14.0.1] uses pre-shared key authentication
RG_Zentr-RG_Zentr_c: remote: [198.198.198.1] uses pre-shared key authentication
RG_Zentr-RG_Zentr_c: child: 10.14.0.0/24 === 198.198.196.0/22 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
RG_Zentr-RG_Zentr_c[1]: ESTABLISHED 27 minutes ago, 100.105.40.181[10.14.0.1]...XX.XXX.XXX.XXX[XXX.XXX.XXX.1]
RG_Zentr-RG_Zentr_c[1]: IKEv1 SPIs: XXXXXXXX352ec7ab_i* XXXXXXXX406f44_r, pre-shared key reauthentication in 7 hours
RG_Zentr-RG_Zentr_c[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
RG_Zentr-RG_Zentr_c{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cfe50280_i3b5060ec_o
RG_Zentr-RG_Zentr_c{1}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 352389 bytes_i (4248 pkts, 0s ago), 657103 bytes_o (4382 pkts, 1s ago), rekeying in 7 hours
RG_Zentr-RG_Zentr_c{1}: 10.14.0.0/24 === 198.198.196.0/22
Hi,
So you are only able to SSH into the device via its private IP address, but you are unable to reach any other devices, nor the WebUI of RUT. Is that correct?
Are you able to reach the the other network from the LAN of RUT240?
Do you have any other routers in the LAN or RUT240? What is the topology?
Could you please check if you have Allow-IPsec-Forward rule enabled in Network → Firewall → Traffic rules? You may want to drag this rule to the top of the list and save the settings (together with the previously mentioned rule to allow IPSec into the device).
Kind Regards,
So you are only able to SSH into the device via its private IP address, but you are unable to reach any other devices, nor the WebUI of RUT. Is that correct?
Yes that’s correct.
Are you able to reach the the other network from the LAN of RUT240?
Yes i can fully access the other LAN from the RUT 240
Do you have any other routers in the LAN or RUT240? What is the topology?
No i don’t have any other routers. Topology is that the RUT is connected via mobile to the Internet and then connects via IPSEC to the Main Router (third party) into the office
Could you please check if you have Allow-IPsec-Forward rule enabled in Network → Firewall → Traffic rules? You may want to drag this rule to the top of the list and save the settings (together with the previously mentioned rule to allow IPSec into the device).
I did it right now but still not working. And yes that rule is enabled.
Hello,
Apologies for the delayed response.
What device is on the other end?
When attempting to reach devices in the LAN, please check if the firewall rules are being matched. You can verify this by checking if the number of packets is increasing.
- iptables -nvL | grep -i ‘ipsec|esp|ah’
I also suggest trying to use IKEv2, as it has proven to be more stable when working with third-party routers.
Could you provide information about the firmware version you are using? Additionally, if you updated the firmware with ‘keep settings’ enabled, it might be worth trying to restore the device to factory defaults. Enabling this option during a firmware update can lead to migration issues, especially if there are significant differences between the versions of the firmware.
Kind Regards,