Home/Support/Support Forum/IPSec VPN tunnel can't ping remote network from router
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

IPSec VPN tunnel can't ping remote network from router

0 votes
Hi there,

I have an issue with traffic not being routed down an IPSec tunnel I have up and running on a WR11 Digi modem (firmware version

The tunnel is up and working.

My local subnet (corporate headquarters) is my remote subnet (Digi modem) is The routing table looks right: 1 IPsec - PPP 1 UP 1 Local - ETH 0 UP 1 Local - PPP 1 UP

However when I run traceroute it shows something very odd:

Tracing route to, max 30 hops

1 * * * Unknown
2 50 ms 50 ms 70 ms
3 50 ms 60 ms 40 ms
4 40 ms 40 ms 50 ms
5 100 ms 70 ms 80 ms
6 90 ms 80 ms 80 ms
7 100 ms 70 ms 80 ms
8 80 ms 80 ms 80 ms
9 80 ms 80 ms 90 ms
10 110 ms 80 ms 90 ms
11 70 ms 80 ms 80 ms
12 80 ms 80 ms 80 ms
13 90 ms 70 ms 80 ms

Despite the routing table (and the fact a 10.x.x.x address should never be routed to the internet) it appears to be routing traffic out the internet interface.

The really interesting thing is that I can ping the Digi from my corporate network side of the tunnel.

And I can also ping from the Digi side of things if I connect a device to the digi modem. So for example if I connect a laptop I can ping to the corporate LAN.

So it seems when the traffic originates from this end of the tunnel the digi knows to route it back down the IPSEC tunnel. But when the traffic originates from the Digi modem itself it routes it out to the internet.

Can anyone assist me with fixing this please?

Regards, John.
asked Sep 24 in Digi Connect Cellular by johnnyboy1981 New to the Community (2 points)

Please log in or register to answer this question.

2 Answers

0 votes
Best answer
The WR11 is using the source IP to route the packet. By default it will use the ppp 1 source ip.

To ping you are probably using "ping".

Try "ping -e0"

This will tell ping to use the source IP of Eth 0 which should then match your subnet policies and route down the tunnel.

You can turn a feature for all router generated traffic to use Eth 0 address as a source IP but it ruins NTP and other services if you are not pushing everything down the tunnel.

Nicholas Wilson
Your IoT
answered Sep 28 by NicholasYourIoT Seasoned Professional (194 points)
selected Sep 29 by johnnyboy1981
Thanks so much that's exactly right.

I still don't understand exactly why the router doesn't adhere to it's own routing table though?

Any ideas why this might be?

It seems strange that a router wouldn't honour its own routing table!

Thanks for all the help though man I truly appreciate it.
0 votes
Hello? Can anyone help me with this?
answered Sep 28 by johnnyboy1981 New to the Community (2 points)