Home/Support/Support Forum/IPSec VPN tunnel can't ping remote network from router
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

IPSec VPN tunnel can't ping remote network from router

0 votes
Hi there,

I have an issue with traffic not being routed down an IPSec tunnel I have up and running on a WR11 Digi modem (firmware version 8.4.0.3)

The tunnel is up and working.

My local subnet (corporate headquarters) is 10.1.0.0/16 my remote subnet (Digi modem) is 10.90.3.0/24. The routing table looks right:

10.1.0.0/16 184.151.233.150 1 IPsec - PPP 1 UP
10.90.3.0/24 10.90.3.1 1 Local - ETH 0 UP
184.151.233.148/30 184.151.233.150 1 Local - PPP 1 UP

However when I run traceroute it shows something very odd:

Tracing route to 10.1.5.218, max 30 hops

1 * * * Unknown
2 50 ms 50 ms 70 ms 10.4.215.197
3 50 ms 60 ms 40 ms 10.8.1.33
4 40 ms 40 ms 50 ms 10.55.129.155
5 100 ms 70 ms 80 ms 10.55.129.154
6 90 ms 80 ms 80 ms 64.230.76.208
7 100 ms 70 ms 80 ms 64.230.78.234
8 80 ms 80 ms 80 ms 64.230.158.57
9 80 ms 80 ms 90 ms 64.230.160.187
10 110 ms 80 ms 90 ms 172.25.122.21
11 70 ms 80 ms 80 ms 172.25.122.22
12 80 ms 80 ms 80 ms 172.25.123.17
13 90 ms 70 ms 80 ms 172.25.50.98

Despite the routing table (and the fact a 10.x.x.x address should never be routed to the internet) it appears to be routing traffic out the internet interface.

The really interesting thing is that I can ping the Digi from my corporate network side of the tunnel.

And I can also ping from the Digi side of things if I connect a device to the digi modem. So for example if I connect a laptop I can ping to the corporate LAN.

So it seems when the traffic originates from this end of the tunnel the digi knows to route it back down the IPSEC tunnel. But when the traffic originates from the Digi modem itself it routes it out to the internet.

Can anyone assist me with fixing this please?

Regards, John.
asked Sep 24, 2021 in Digi Connect Cellular by johnnyboy1981 New to the Community (2 points)

Please log in or register to answer this question.

2 Answers

0 votes
 
Best answer
The WR11 is using the source IP to route the packet. By default it will use the ppp 1 source ip.

To ping 10.1.5.218 you are probably using "ping 10.1.5.218".

Try "ping 10.1.5.218 -e0"

This will tell ping to use the source IP of Eth 0 which should then match your subnet policies and route down the tunnel.

You can turn a feature for all router generated traffic to use Eth 0 address as a source IP but it ruins NTP and other services if you are not pushing everything down the tunnel.


Nicholas Wilson
Your IoT
https://www.YourIoT.com.au
answered Sep 28, 2021 by NicholasYourIoT Veteran of the Digi Community (271 points)
selected Sep 29, 2021 by johnnyboy1981
Thanks so much that's exactly right.

I still don't understand exactly why the router doesn't adhere to it's own routing table though?

Any ideas why this might be?

It seems strange that a router wouldn't honour its own routing table!

Thanks for all the help though man I truly appreciate it.
commented Sep 30, 2021 by johnnyboy1981 New to the Community (2 points)
0 votes
Hello? Can anyone help me with this?
answered Sep 28, 2021 by johnnyboy1981 New to the Community (2 points)
...