Teltonika RUTX08 with 2 different local subnet and 2 different remote subnet IPSEC Tunnel VPN configuration

Teltonika Networks
1

We bought an RUTX08 and ive configured it and everything seem to work fine on firmware RUTX_R_00.07.05.4 except that i can’t find a way to create a new dmz network range in LAN network section

Ive follow this post here to configure 2 different lan network : 2 seperate interfaces to wan - Crowd Support Forum | Teltonika Networks (teltonika-networks.com)

I have configured my default lan network witch is: 172.16.95.0/24
And add a new lan witch is 172.16.96.0/24

It’s working fine and both network can’t reach the other network

Now ive configured an IPSEC VPN IKEv2 with a remote peer (Checkpoint firewall)

On local subnet ive add both network
172.16.95.0/24
172.16.96.0/24

Remote Subnet:
192.168.xx.0/24
192.168.yy.0/24

From my pc behind the Teltonika firewall i can ping the 192.168.xx.1 but i cannot ping 192.168.yy.1 or any other device in network 192.168.yy.0/24

Here is some info

BusyBox v1.34.1 (2023-11-07 13:33:48 UTC) built-in shell (ash)

____        _    ___  ____

| _ \ _ | | / _ / |
| |) | | | | | | | _
| _ <| || | || || |) |
|| _\,|_|__/|____/

 Teltonika RUTX series 2023

Device: RUTX08
Kernel: 5.10.188
Firmware: RUTX_R_00.07.05.4
Build: d48a3687a6
Build date: 2023-11-07 14:54:54

root@RUTX08:~# ipsec status
Security Associations (1 up, 0 connecting):
BLV-BLV_c[2]: ESTABLISHED 5 minutes ago, TELTONIKA_WAN_IP_ADDRESS[TELTONIKA_WAN_IP_ADDRESS]…CHECKPOINT_WAN_IP_ADDRESS[CHECKPOINT_WAN_IP_ADDRESS]
BLV-BLV_c{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce4b8db2_i 9d25a536_o
BLV-BLV_c{2}: 172.16.96.0/24 === 192.168.xx.0/24
BLV-BLV_c{3}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c58715d5_i 1efb6bbb_o
BLV-BLV_c{3}: 172.16.95.0/24 === 192.168.xx.0/24

#Try to ping 192.168.yy.1 from 172.16.95.187 and it don’t work
root@RUTX08:~# tcpdump host 192.168.yy.1 and icmp -i any -n
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
15:29:31.556163 eth0 In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 720, length 72
15:29:31.556163 br-lan In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 720, length 72
15:29:31.557258 eth0 In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 721, length 72
15:29:31.557258 br-lan In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 721, length 72
15:29:31.558306 eth0 In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 722, length 72
15:29:31.558306 br-lan In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 722, length 72
15:29:32.572405 eth0 In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 723, length 72
15:29:32.572405 br-lan In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 723, length 72
15:29:32.572680 eth1 Out IP TELTONIKA_WAN_IP_ADDRESS > 192.168.yy.1: ICMP echo request, id 1, seq 723, length 72
15:29:36.699393 eth0 In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 724, length 40
15:29:36.699393 br-lan In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 724, length 40
15:29:36.699599 eth1 Out IP TELTONIKA_WAN_IP_ADDRESS > 192.168.yy.1: ICMP echo request, id 1, seq 724, length 40
15:29:41.611442 eth0 In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 725, length 40
15:29:41.611442 br-lan In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 725, length 40
15:29:41.611603 eth1 Out IP TELTONIKA_WAN_IP_ADDRESS > 192.168.yy.1: ICMP echo request, id 1, seq 725, length 40
15:29:42.618968 eth0 In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 726, length 40
15:29:42.618968 br-lan In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 726, length 40
15:29:42.619160 eth1 Out IP TELTONIKA_WAN_IP_ADDRESS > 192.168.yy.1: ICMP echo request, id 1, seq 726, length 40
15:29:47.614094 eth0 In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 727, length 40
15:29:47.614094 br-lan In IP 172.16.95.187 > 192.168.yy.1: ICMP echo request, id 1, seq 727, length 40
15:29:47.614319 eth1 Out IP TELTONIKA_WAN_IP_ADDRESS > 192.168.yy.1: ICMP echo request, id 1, seq 727, length 40
^C
21 packets captured
22 packets received by filter
0 packets dropped by kernel

#Try to ping 192.168.xx.1 from 172.16.95.187 and it work
root@RUTX08:~# tcpdump host 192.168.xx.1 and icmp -i any -n
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
15:30:01.822094 eth0 In IP 172.16.95.187 > 192.168.xx.1: ICMP echo request, id 1, seq 728, length 40
15:30:01.822094 br-lan In IP 172.16.95.187 > 192.168.xx.1: ICMP echo request, id 1, seq 728, length 40
15:30:01.824104 eth1 In IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 728, length 40
15:30:01.824419 br-lan Out IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 728, length 40
15:30:01.824447 eth0 Out IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 728, length 40
15:30:02.825517 eth0 In IP 172.16.95.187 > 192.168.xx.1: ICMP echo request, id 1, seq 729, length 40
15:30:02.825517 br-lan In IP 172.16.95.187 > 192.168.xx.1: ICMP echo request, id 1, seq 729, length 40
15:30:02.827383 eth1 In IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 729, length 40
15:30:02.827668 br-lan Out IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 729, length 40
15:30:02.827696 eth0 Out IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 729, length 40
15:30:03.833178 eth0 In IP 172.16.95.187 > 192.168.xx.1: ICMP echo request, id 1, seq 730, length 40
15:30:03.833178 br-lan In IP 172.16.95.187 > 192.168.xx.1: ICMP echo request, id 1, seq 730, length 40
15:30:03.835248 eth1 In IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 730, length 40
15:30:03.835511 br-lan Out IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 730, length 40
15:30:03.835536 eth0 Out IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 730, length 40
15:30:04.839741 eth0 In IP 172.16.95.187 > 192.168.xx.1: ICMP echo request, id 1, seq 731, length 40
15:30:04.839741 br-lan In IP 172.16.95.187 > 192.168.xx.1: ICMP echo request, id 1, seq 731, length 40
15:30:04.841547 eth1 In IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 731, length 40
15:30:04.841827 br-lan Out IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 731, length 40
15:30:04.841854 eth0 Out IP 192.168.xx.1 > 172.16.95.187: ICMP echo reply, id 1, seq 731, length 40
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel
root@RUTX08:~#

In the output of the command “ipsec status” we don’t see anything related to network 192.168.yy.0/24

Also for your information in the IPSEC Tunnel i have this configure

Local Subnet: 172.16.95.0/24 and 172.16.96.0/24
Remote Subnet: 192.168.xx.0/24 and 192.168.yy.0/24

If i set the remote subnet 192.168.yy.0/24 the first one i then can ping any device in this subnet and the other subnet 192.168.xx.0/24 is not reachable anymore

Is this a bug ?

Thanks !

3

Well i found the problem i had to do this

login to the router’s WebUI, navigate to Services → VPN → IPsec, edit instance settings, switch to Advanced settings and enable Compatibility mode,

After ive enabled this everything is working fine !

4

This topic was automatically closed after 15 days. New replies are no longer allowed.