Thursday, August 6, 2020

Issue with IPSEC tunnels over Telstra LTE

Hey everyone been bashing my head against a wall with this one.

I have a HA pair of Fortigate 300E's trying to connect a few Teltonika RUTX11 via IPSEC dial-in over Telstra LTE.

I have no dramas getting both the P1 and P2 up but cannot pass any traffic. sometimes I can pass traffic one way but that is random.

Now I've tested this by taking the LTE out of the picture and put the remote dial-in device RUTX11 on a public IP in our WAN and the traffic works perfectly.

I'll admit I have not touched IPSEC in over 10 years and have previously used OpenVPN but wanted to use IPSEC in this new environment. I wanted to iron this out perfectly as 90% of our traffic is hub and spoke from these remote RUTX11's.

I'm currently at home so will have to include some pcaps, and diag logs tomorrow but just wanted to see if anyone else was having similar issues.

From my troubleshooting so far Telstra is running CG-NAT and using private IP's. I've changed the APN on the RUTX11 to telstra.extranet which gives me a public IP and has no CG-NAT and I was hoping this would be the fix but it's still acting strangely. I've googled for hours found a few blogs on Telstra running policy-based routing but was hoping if anyone else has any idea of the issue and some steps to take to get to the bottom of this.

If I cant sort this out in the next week or so ill have to fall back to OpenVPN.



No comments:

Post a Comment