RUTX12 VPN Traffic inbound but not outbound

Dan_Quin · August 28, 2023, 6:53pm

Hello,

I have a RUTX12 that connects to a Cisco Firewall IPSEC VPN. This VPN connects normally and traffic can flow from the Cisco into the RUT and is responded.

However any traffic starting inside the RUT going towards the Cisco fails.

The Cisco doesn’t receive any traffic from the RUT in this case. I have looked at the Firewall which has the extra NAT rules and have looked at adding explict routes which I am not sure are actually working. I also have the most recent firmware.

The VPN traffic goes over a 4G connection (and has to only use that) also there is a Starlink on the WAN but the issue occurs whether the wan interface is up or down.

Any help would be appreciated.

flebourse · August 28, 2023, 7:12pm

Hello,
Could you display the output of:

iptables -t nat -n -L | grep policy | grep ipsec

Regards,

Dan_Quin · August 28, 2023, 11:17pm

ACCEPT all – 0.0.0.0/0 192.168.21.1 policy match dir out pol ipsec /* !fw3: Exclude-IPsec-from-NAT */

192.168.21.1 is the inside IP of the RUT and gateway of the PCs using it.

flebourse · August 28, 2023, 11:28pm

So you can ping the RUT from the Cisco but not the reverse. Is this correct ?

Dan_Quin · August 28, 2023, 11:46pm

Devices behind the Cisco can successfully ping devices behind the RUT. But the reverse doesn’t happen, despite ping confirming two way traffic.

flebourse · August 29, 2023, 12:35am

What is the output of:

ipsec statusall

on the RUT ?

Dan_Quin · August 29, 2023, 1:07am

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.229, armv7l):
uptime: 101 minutes, since Aug 29 09:16:20 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
< Starlink External Address >
< 4G External Address >
192.168.21.1
< IPv6 Address for br-lan >
Connections:
Place-Place_c: %any…< External Cisco > IKEv1
Place-Place_c: local: uses pre-shared key authentication
Place-Place_c: remote: [< External Cisco >] uses pre-shared key authentication
Place-Place_c: child: 192.168.21.0/24 === 192.168.1.0/24 192.168.11.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
Place-Place_c[1]: ESTABLISHED 101 minutes ago, < 4G External Address >[< 4G External Address >]…< External Cisco >[< External Cisco >]
Place-Place_c[1]: IKEv1 SPIs: f0b1cf4a1ab11c6b_i* 9e58438fd992454e_r, pre-shared key reauthentication in 6 hours
Place-Place_c[1]: IKE proposal: AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Place-Place_c{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c88cff2f_i da97f503_o
Place-Place_c{1}: AES_CBC_192/HMAC_SHA1_96/MODP_1536, 420544 bytes_i (3302 pkts, 15s ago), 429415 bytes_o (3302 pkts, 4s ago), rekeying in 6 hours
Place-Place_c{1}: 192.168.21.0/24 === 192.168.1.0/24

AndzejJ · August 29, 2023, 7:43am

Hello,

Seems like there is some traffic out.

Can you try enabling compatibility mode in IPSec settings (IPSEC → Connection settings → Advanced settings)? This should allow the device to create multiple SAs.

Kind Regards,

Dan_Quin · August 29, 2023, 11:06am

The traffic is the keep alives and also as mentioned the pings from the Cisco side can travel from a device behind the Cisco through to behind the RUT, just not the reverse.

I have tried with that setting both on and off without change.

flebourse · August 29, 2023, 11:17am

Can you dump the traffic on the Cisco when you ping from the RUT side a device on the Cisco side ? Do you see something ?

system · September 12, 2023, 6:53pm

This topic was automatically closed after 15 days. New replies are no longer allowed.