Vpn over ipsec, no ping possible

AlfonsoCIUDAD · November 25, 2024, 3:25pm

Good afternoon,

I have bought two teltonika RUT200 routers, to make a VPN between them, I have followed the link in the manual about the VPN configuration between two teltonika (IPsec RUTOS configuration example - Teltonika Networks Wiki) my teltonika routers, have the following information:

RUT1:
Public IP: 88.XX.XXX.XXX
LAN IP: 192.168.3.1
RUT2:
public IP 88.XX.XXX.XXX
LAN IP: 192.168.14.1

I have configured the VPN as described in the article mentioned above. Once configured, it establishes connection, in fact, from RUT1 I am able to reach the LAN IP of RUT2, but I cannot reach a device connected to LAN RUT2.
This is an urgent issue, which I need to resolve as soon as possible.

Please, I need an answer as soon as possible.

Best regards.

flebourse · November 25, 2024, 3:51pm

Hello,

In the IPsec configuration of the RUT1 set “Local subnet” to 192.168.3.0/24 and “Remote subnet” to 192.168.14.0/24"

Idem in the IPsec configuration of the RUT2 set “Local subnet” to 192.168.14.0/24 and “Remote subnet” to 192.168.3.0/24"

Check with ipsec statusall that you have established SAs with 182.168.3.0/24 === 192.168.14.0/24 correspondences.

Regards,

Alfonso · November 25, 2024, 4:15pm

RUT1:

RUT2:

Alfonso · November 25, 2024, 4:18pm

As you can see in the attached image, the ping from RUT2 to the LAN of RUT1 works and the other way round as well.

Alfonso · November 25, 2024, 4:21pm

I don’t know what the solution is, as you can see I have followed the whole manual and I can’t reach the device connected on the opposite LAN. @ flebourse help me please

flebourse · November 25, 2024, 4:23pm

What are the outputs of ipsec statusall on both RUTs ?
What is the returned error message when you ping a device in the LAN of RUT1 ?
Can you execute a tcpdump -i any -n -v icmp on RUT2 when you do the ping ? An same tcpdump on RUT1 ?

Alfonso · November 26, 2024, 6:18am

IPSEC STATUS ALL RUT1:

IPSEC STATUS ALL RUT2:

ERROR MESSAGE WHEN I DO A PING:

I can`t execute a tcpdump, How I do it? I can’t with CLI and I can’t with CMD either.

flebourse · November 26, 2024, 6:33am

So your tunnel seems to be working, the bytes_i and bytes_o counters show that data has gone through. Why they are very different is another question (bytes_i at one end != bytes_o at the other end).
tcpdump should be present on the RUT, if it isn’t do a:

opkg update
opkg install tcpdump

Another way to debug the issue is to do the ipsec statusall then the ping and then the ipsec statusall again. The bytes_o pkt counter should have increased by 4 at least on one side and the bytes_i by 4 also on the other side. Then look at the return path, have the counters changed ?

AlfonsoCIUDAD · November 27, 2024, 9:22am

Hi @flebourse,
The data obtained by doing tcpdump, is as follows:

RUT1 → RUT2:
root@RUT200:~# tcpdump -i any -n -v icmp
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
10:20:05.467916 usb0 In IP (tos 0x0, ttl 64, id 64917, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 1, length 64
10:20:05.887105 usb0 Out IP (tos 0xc0, ttl 64, id 51758, offset 0, flags [none], proto ICMP (1), length 68)
88.28.182.224 > 91.228.165.148: ICMP host 88.28.182.224 unreachable, length 48
IP (tos 0x0, ttl 47, id 18682, offset 0, flags [DF], proto TCP (6), length 40)
91.228.165.148.8883 > 88.28.182.224.5016: Flags [F.], cksum 0xb2c6 (correct), seq 434732515, ack 1350749675, win 18, length 0
10:20:05.887310 usb0 Out IP (tos 0xc0, ttl 64, id 51759, offset 0, flags [none], proto ICMP (1), length 68)
88.28.182.224 > 91.228.165.148: ICMP host 88.28.182.224 unreachable, length 48
IP (tos 0x0, ttl 47, id 18683, offset 0, flags [DF], proto TCP (6), length 40)
91.228.165.148.8883 > 88.28.182.224.5016: Flags [F.], cksum 0xb2c6 (correct), seq 0, ack 1, win 18, length 0
10:20:06.504919 usb0 In IP (tos 0x0, ttl 64, id 64995, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 2, length 64
10:20:06.984907 usb0 In IP (tos 0xc0, ttl 64, id 65044, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21185, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 2705280711:2705280759, ack 986542620, win 4005, length 48
10:20:06.986166 usb0 In IP (tos 0xc0, ttl 64, id 65045, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21186, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:06.986785 usb0 In IP (tos 0xc0, ttl 64, id 65046, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21187, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:07.467789 usb0 In IP (tos 0x0, ttl 64, id 65054, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 3, length 64
10:20:08.475891 usb0 In IP (tos 0x0, ttl 64, id 65102, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 4, length 64
10:20:09.087089 usb0 Out IP (tos 0xc0, ttl 64, id 51964, offset 0, flags [none], proto ICMP (1), length 68)
88.28.182.224 > 91.228.165.148: ICMP host 88.28.182.224 unreachable, length 48
IP (tos 0x0, ttl 47, id 18684, offset 0, flags [DF], proto TCP (6), length 40)
91.228.165.148.8883 > 88.28.182.224.5016: Flags [F.], cksum 0xb2c6 (correct), seq 0, ack 1, win 18, length 0
10:20:09.087373 usb0 Out IP (tos 0xc0, ttl 64, id 51965, offset 0, flags [none], proto ICMP (1), length 68)
88.28.182.224 > 91.228.165.148: ICMP host 88.28.182.224 unreachable, length 48
IP (tos 0x0, ttl 47, id 18685, offset 0, flags [DF], proto TCP (6), length 40)
91.228.165.148.8883 > 88.28.182.224.5016: Flags [F.], cksum 0xb2c6 (correct), seq 0, ack 1, win 18, length 0
10:20:09.467921 usb0 In IP (tos 0x0, ttl 64, id 65156, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 5, length 64
10:20:10.114049 usb0 In IP (tos 0xc0, ttl 64, id 65213, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21188, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:10.114052 usb0 In IP (tos 0xc0, ttl 64, id 65214, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21189, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:10.115740 usb0 In IP (tos 0xc0, ttl 64, id 65215, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:10.467770 usb0 In IP (tos 0x0, ttl 64, id 65220, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 6, length 64
10:20:11.467920 usb0 In IP (tos 0x0, ttl 64, id 65257, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 7, length 64
10:20:12.287049 usb0 Out IP (tos 0xc0, ttl 64, id 52162, offset 0, flags [none], proto ICMP (1), length 68)
88.28.182.224 > 91.228.165.148: ICMP host 88.28.182.224 unreachable, length 48
IP (tos 0x0, ttl 47, id 18686, offset 0, flags [DF], proto TCP (6), length 40)
91.228.165.148.8883 > 88.28.182.224.5016: Flags [F.], cksum 0xb2c6 (correct), seq 0, ack 1, win 18, length 0
10:20:12.287300 usb0 Out IP (tos 0xc0, ttl 64, id 52163, offset 0, flags [none], proto ICMP (1), length 68)
88.28.182.224 > 91.228.165.148: ICMP host 88.28.182.224 unreachable, length 48
IP (tos 0x0, ttl 47, id 18687, offset 0, flags [DF], proto TCP (6), length 40)
91.228.165.148.8883 > 88.28.182.224.5016: Flags [F.], cksum 0xb2c6 (correct), seq 0, ack 1, win 18, length 0
10:20:12.504919 usb0 In IP (tos 0x0, ttl 64, id 65278, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 8, length 64
10:20:13.224927 usb0 In IP (tos 0xc0, ttl 64, id 65304, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21191, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:13.226214 usb0 In IP (tos 0xc0, ttl 64, id 65305, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21192, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:13.226217 usb0 In IP (tos 0xc0, ttl 64, id 65306, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21193, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:13.467756 usb0 In IP (tos 0x0, ttl 64, id 65319, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 9, length 64
10:20:14.477760 usb0 In IP (tos 0x0, ttl 64, id 65338, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 10, length 64
10:20:15.478000 usb0 In IP (tos 0x0, ttl 64, id 65408, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.14.1 > 192.168.3.1: ICMP echo request, id 8858, seq 11, length 64
10:20:15.487076 usb0 Out IP (tos 0xc0, ttl 64, id 52464, offset 0, flags [none], proto ICMP (1), length 68)
88.28.182.224 > 91.228.165.148: ICMP host 88.28.182.224 unreachable, length 48
IP (tos 0x0, ttl 47, id 18688, offset 0, flags [DF], proto TCP (6), length 40)
91.228.165.148.8883 > 88.28.182.224.5016: Flags [F.], cksum 0xb2c6 (correct), seq 0, ack 1, win 18, length 0
10:20:15.487299 usb0 Out IP (tos 0xc0, ttl 64, id 52465, offset 0, flags [none], proto ICMP (1), length 68)
88.28.182.224 > 91.228.165.148: ICMP host 88.28.182.224 unreachable, length 48
IP (tos 0x0, ttl 47, id 18689, offset 0, flags [DF], proto TCP (6), length 40)
91.228.165.148.8883 > 88.28.182.224.5016: Flags [F.], cksum 0xb2c6 (correct), seq 0, ack 1, win 18, length 0
10:20:16.352911 usb0 In IP (tos 0xc0, ttl 64, id 65490, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21194, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:16.352914 usb0 In IP (tos 0xc0, ttl 64, id 65491, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21195, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
10:20:16.354616 usb0 In IP (tos 0xc0, ttl 64, id 65492, offset 0, flags [none], proto ICMP (1), length 116)
192.168.14.1 > 192.168.3.1: ICMP host 192.168.14.196 unreachable, length 96
IP (tos 0x0, ttl 63, id 21196, offset 0, flags [DF], proto TCP (6), length 88)
192.168.3.1.4218 > 192.168.14.196.42149: Flags [.], cksum 0x4700 (correct), seq 0:48, ack 1, win 4005, length 48
^C
31 packets captured
34 packets received by filter
0 packets dropped by kernel
RUT2->RU1:
root@RUT200:~# tcpdump -i any -n -v icmp
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
10:10:54.189294 usb0 In IP (tos 0x0, ttl 64, id 52308, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 2, length 64
10:10:55.189428 usb0 In IP (tos 0x0, ttl 64, id 52386, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 3, length 64
10:10:56.190411 usb0 In IP (tos 0x0, ttl 64, id 52481, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 4, length 64
10:10:57.189426 usb0 In IP (tos 0x0, ttl 64, id 52560, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 5, length 64
10:10:58.165127 usb0 In IP (tos 0x0, ttl 64, id 52572, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 6, length 64
10:10:59.189301 usb0 In IP (tos 0x0, ttl 64, id 52593, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 7, length 64
10:11:00.230419 usb0 In IP (tos 0x0, ttl 64, id 52642, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 8, length 64
10:11:01.189424 usb0 In IP (tos 0x0, ttl 64, id 52653, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 9, length 64
10:11:02.184422 usb0 In IP (tos 0x0, ttl 64, id 52709, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 10, length 64
10:11:03.184290 usb0 In IP (tos 0x0, ttl 64, id 52768, offset 0, flags [DF], proto ICMP (1), length 84)
10:11:04.189188 usb0 In IP (tos 0x0, ttl 64, id 52784, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 12, length 64
10:11:05.189317 usb0 In IP (tos 0x0, ttl 64, id 52880, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 13, length 64
10:11:06.229414 usb0 In IP (tos 0x0, ttl 64, id 52909, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 14, length 64
10:11:07.189414 usb0 In IP (tos 0x0, ttl 64, id 52998, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 15, length 64
10:11:08.229422 usb0 In IP (tos 0x0, ttl 64, id 53023, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 16, length 64
10:11:09.205285 usb0 In IP (tos 0x0, ttl 64, id 53043, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 17, length 64
10:11:10.229308 usb0 In IP (tos 0x0, ttl 64, id 53103, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 18, length 64
10:11:11.189438 usb0 In IP (tos 0x0, ttl 64, id 53160, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.1 > 192.168.14.1: ICMP echo request, id 9457, seq 19, length 64
^C
18 packets captured
21 packets received by filter
0 packets dropped by kernel

I have done the VPN between the two and I get the same error again. I can’t reach the connected device on the opposite LAN.

flebourse · November 27, 2024, 12:10pm

Do you have the tcpdump of the other RUT ?
Instead of the ping, can you do a traceroute 192.168.14.1 ?

AlfonsoCIUDAD · November 27, 2024, 12:23pm

When setting up the VPN, is it necessary to modify firewall rules or create static routes? I have seen that when you create the VPN, the necessary firewall rules are already created.

AlfonsoCIUDAD · November 27, 2024, 12:27pm

In the above message, I have both tcpdumps.
Here is the traceroute to 192.168.14.1:

flebourse · November 27, 2024, 12:27pm

No this should be done automatically.
Try the traceroute.

AlfonsoCIUDAD · November 27, 2024, 12:29pm

The traceroute is correct.

flebourse · November 27, 2024, 12:34pm

Yes sorry I missed the second one.

Try a traceroute of a device in 192.168.14.0/24 what do you see ?

AlfonsoCIUDAD · November 27, 2024, 12:37pm

flebourse · November 27, 2024, 12:51pm

Redo the traceroute 192.168.14.161 and the following tcpdump on the RUT2:

tcpdump -i any -n -v 'host 192.168.14.161 or icmp'

What is the output of tcpdump ?

AlfonsoCIUDAD · November 27, 2024, 2:04pm

The result is:
2304 packets captured
2649 packets received by filter
332 packets dropped by kernel

I can´t put all because is too long.

flebourse · November 27, 2024, 2:22pm

Try with:

tcpdump -i any -n -v  -s 128 -w dump.pcap -'icmp or (ip proto \udp and host 192.168.14.161)'

and post the dump.pcap file somewhere.

Alfonso · November 27, 2024, 2:47pm

root@RUT200:~# tcpdump -i any -s 128 -w dump.pca -‘icmp or (ip proto \udp and host 192.168.14.196)’
tcpdump: cmp or (ip proto \udp and host 192.168.14.196): No such device exists
(No such device exists)