hello, we have a problem with our configuration.
we have a RUTX11 remote router connected via Ipsec VPN to a FW.
the WAN connection is made from a Starlink antenna.
So far everything is going well.
We want our network to only pass through the VPN (all traffic).
The machines are configured with a Proxy and the net goes through our main network (behind the FW), on this side it is OK.
The FW filtering rules are made so that the traffic we need is open, without it being impossible to transmit SMTP.
PCs and photocopiers behind the RUTX cannot communicate via SMTP…
If anyone has a configuration idea so that SMTP traffic passes through the RUTX IPSEC, we are interested.
THANKS
Hello,
Is the issue with SMTP only?
Maybe the issue is with DNS? Are you able to resolve hostnames? You can use 'nslookup’ command.
When it comes to IPSec, SMTH should be allowed by default. Thus, double-check your IPSec configurations, specifically, port selectors (IPSec settings → Connection settings → Advanced settings → Locally and Remotely allowed protocols). The matched protocols are matched by IPSec and are allowed. Ensure that these fields are either empty or you can try specifying smtp explicitly.
If you run TCP dump on the other end of IPSec channel, are there any SMTP packets?
Kind Regards,
Hello AndzejJ
thank you for your reply
Our configuration allows us to resolve names with nslookup.
The only thing that doesn’t work is SMTP.
here is our advanced IPSEC configuration
we tried to add the SMTP protocol to the advanced conf but this resulted in blocking our access to the router (100km distant from us)
Hello,
First, you mentioned that you route all traffic via VPN (default route). However, it seems that you have 3 IPSec instances. The first thing I would suggest is to disable other IPSec instances and leave only the one needed for SMTP for testing. Next, I would suggest checking the routing via CLI. CLI instructions are available here. Make sure you enter ‘root’ as the username for CLI/SSH. The following commands can be useful in your case:
# check routes
route -n
ip r show
# ipsec uses a different routing table. When the connection is up, check the IPSec routing table:
ip r show table 220
# check logs (ipsec logs)
logread | grep ipsec
# check IPSec status
ipsec statusall
Also, the Firewall (zones/SNAT/DNAT) are all seems to be modified. There should be no need to modify NAT and Port forwards. You also have masquerading enabled on LAN, but not on WAN. Is starlink performing NAT in your case? Also, the NAT on LAN is usually enabled in specific cases. Maybe you could provide more information on why it is enabled in your case?
Since there is no way to share files privately, I have no information about all of your other settings. I would suggest restorting the device to factory defaults and configuring everything again without firewall changes (or minimal).
Kind Regards,
root@RUTX11:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 217.65.X.X 0.0.0.0 UG 2 0 0 eth1
0.0.0.0 192.168.101.65 0.0.0.0 UG 3 0 0 eth0.101
192.168.17.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
192.168.101.64 0.0.0.0 255.255.255.192 U 3 0 0 eth0.101
192.168.110.112 0.0.0.0 255.255.255.248 U 4 0 0 eth0.110
217.65.X.X 0.0.0.0 255.255.255.0 U 2 0 0 eth1
root@RUTX11:~# ip r show table 220
192.168.185.0/24 via 217.65.X.X dev eth1 proto static src 192.168.17.1
192.168.190.0/24 via 217.65.X.X dev eth1 proto static src 192.168.110.113
root@RUTX11:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.229, armv7l):
uptime: 45 hours, since Sep 20 11:50:49 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
192.168.17.1
y.y.y.y
192.168.110.113
192.168.101.65
Connections:
Pizzorno-Pizzorno_c: %any…x.x.x.x IKEv2
Pizzorno-Pizzorno_c: local: uses pre-shared key authentication
Pizzorno-Pizzorno_c: remote: [x.x.x.x] uses pre-shared key authentication
Pizzorno-Pizzorno_c: child: 192.168.17.0/24 === 192.168.190.0/24 192.168.185.0/24 TUNNEL
video-video_c: child: 192.168.101.64/26 === 192.168.190.0/24 TUNNEL
forma-forma_c: child: 192.168.110.112/29 === 192.168.190.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
Pizzorno-Pizzorno_c[72]: ESTABLISHED 113 minutes ago, y.y.y.y[y.y.y.y]…x.x.x.x[x.x.x.x]
Pizzorno-Pizzorno_c[72]: , pre-shared key reauthentication in 53 minutes
Pizzorno-Pizzorno_c[72]: IKE proposal: A
Pizzorno-Pizzorno_c{353}: INSTALLED, TUNNEL, reqid 4, ESP SPIs:
Pizzorno-Pizzorno_c{353}: rekeying in 8 minutes
Pizzorno-Pizzorno_c{353}: 192.168.17.0/24 === 192.168.185.0/24
forma-forma_c{354}: INSTALLED, TUNNEL, reqid 3, ESP SPIs:
forma-forma_c{354}: rekeying in 6 minutes
forma-forma_c{354}: 192.168.110.112/29 === 192.168.190.0/24
video-video_c{355}: INSTALLED, TUNNEL, reqid 2, ESP SPIs:
video-video_c{355}: ) rekeying in 14 minutes
video-video_c{355}: 192.168.101.64/26 === 192.168.190.0/24
Pizzorno-Pizzorno_c{356}: INSTALLED, TUNNEL, reqid 1, ESP SPIs:
Pizzorno-Pizzorno_c{356}: , rekeying in 21 minutes
Pizzorno-Pizzorno_c{356}: 192.168.17.0/24 === 192.168.190.0/24
Hello,
It seems that the tunnels are established and the routes are there.
From what network are you trying to reach the SMTP server?
The first thing I would suggest is to check with TCPdump if the device on the other end of the IPSec tunnel receives SMTP traffic. This way, you will know if RUTX11 sends packets correctly, or if there is an issue on RUTX11.
If no packets are received on the other device, the issue may be related to firewall settings on RUTX11. As mentioned, there are quite a few firewall changes according to your screenshots. Hence, I would suggest restoring the device to factory defaults.
Kind Regards,
This topic was automatically closed after 15 days. New replies are no longer allowed.