RUTX12 VPN Traffic inbound but not outbound


I have a RUTX12 that connects to a Cisco Firewall IPSEC VPN. This VPN connects normally and traffic can flow from the Cisco into the RUT and is responded.

However any traffic starting inside the RUT going towards the Cisco fails.

The Cisco doesn’t receive any traffic from the RUT in this case. I have looked at the Firewall which has the extra NAT rules and have looked at adding explict routes which I am not sure are actually working. I also have the most recent firmware.

The VPN traffic goes over a 4G connection (and has to only use that) also there is a Starlink on the WAN but the issue occurs whether the wan interface is up or down.

Any help would be appreciated.

Could you display the output of:

iptables -t nat -n -L | grep policy | grep ipsec


ACCEPT all – policy match dir out pol ipsec /* !fw3: Exclude-IPsec-from-NAT */ is the inside IP of the RUT and gateway of the PCs using it.

So you can ping the RUT from the Cisco but not the reverse. Is this correct ?

Devices behind the Cisco can successfully ping devices behind the RUT. But the reverse doesn’t happen, despite ping confirming two way traffic.

What is the output of:

ipsec statusall

on the RUT ?

Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.229, armv7l):
uptime: 101 minutes, since Aug 29 09:16:20 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
< Starlink External Address >
< 4G External Address >
< IPv6 Address for br-lan >
Place-Place_c: %any…< External Cisco > IKEv1
Place-Place_c: local: uses pre-shared key authentication
Place-Place_c: remote: [< External Cisco >] uses pre-shared key authentication
Place-Place_c: child: === TUNNEL
Security Associations (1 up, 0 connecting):
Place-Place_c[1]: ESTABLISHED 101 minutes ago, < 4G External Address >[< 4G External Address >]…< External Cisco >[< External Cisco >]
Place-Place_c[1]: IKEv1 SPIs: f0b1cf4a1ab11c6b_i* 9e58438fd992454e_r, pre-shared key reauthentication in 6 hours
Place-Place_c[1]: IKE proposal: AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Place-Place_c{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c88cff2f_i da97f503_o
Place-Place_c{1}: AES_CBC_192/HMAC_SHA1_96/MODP_1536, 420544 bytes_i (3302 pkts, 15s ago), 429415 bytes_o (3302 pkts, 4s ago), rekeying in 6 hours
Place-Place_c{1}: ===


Seems like there is some traffic out.

Can you try enabling compatibility mode in IPSec settings (IPSEC → Connection settings → Advanced settings)? This should allow the device to create multiple SAs.

Kind Regards,

The traffic is the keep alives and also as mentioned the pings from the Cisco side can travel from a device behind the Cisco through to behind the RUT, just not the reverse.

I have tried with that setting both on and off without change.

Can you dump the traffic on the Cisco when you ping from the RUT side a device on the Cisco side ? Do you see something ?

This topic was automatically closed after 15 days. New replies are no longer allowed.