WR11: How to get packets targeting remote VPN network over established IPSec SA to be routed through tunnel

I am trying to set up an IPSec VPN tunnel initiated by a WR11 over an LTE connection to a Netgear SRX5308 router.

I have been able to get the IPSec SA established, as indicated by both the Netgear router and the WR11. If I ping from a computer on the Netgear LAN to a computer on the WR11 LAN, I can see that the packet goes through the IPSec tunnel toward the WR11, and arrives at the computer on the WR11 LAN as expected. The computer on the WR11 LAN responds, sending the response packet, which I can see arriving at the eth0 interface of the WR11, but then if I am reading the trace correctly, the packet is sent out of the PPP1 interface, but still has the destination IP Address of the remote computer, not the remote IPSec endpoint.

WR11 LAN: 192.168.0.0/24
WR11 PPP1: 10.128.34.179
Netgear LAN: 19.168.4.0/24

Additionally, executing the PING command: ping 192.168.4.203 -e0 from the WR11, does not get a response.

Additionally, executing a PING from 192.168.0.11 to 192.168.4.203 results in a packet (captured by the WR11 analyzer) that is being sent out the PPP1 interface targeting the remote LAN IP Address (not the Netgear public IP address):

----- 24-3-2017 10:09:34.500 ------
02 50 F3 00 00 00 00 00 00 00 00 00 08 00 45 00 .P…E.
00 3C 5B 7E 00 00 7F 01 ED 9C 0A 80 22 B3 C0 A8 .<[~…"…
04 CB …

NDIS From LOC TO REM IFACE: PPP 1
02 50 F3 00 00 00 Dst. MAC
00 00 00 00 00 00 Src. MAC
08 00 Type: IP
IP:
45 IP Ver: 4
Hdr Len: 20
00 TOS: Routine
Delay: Normal
Throughput: Normal
Reliability: Normal
00 3C Length: 60
5B 7E ID: 23422
00 00 Frag Offset: 0
Congestion: Normal
May Fragment
Last Fragment
7F TTL: 127
01 Proto: ICMP
ED 9C Checksum: 60828
0A 80 22 B3 Src IP: 10.128.34.179
C0 A8 04 CB Dst IP: 192.168.4.203

The IP capture shows packets with the source IP of 10.128.34.179 and a destination IP of 192.168.4.203.

Viewed from the WR11:
IKE SA connection: Shows connection with proper PPP1 IP Address and Netgear public IP Address

IPsec Peers: Shows Netgear public IP Address ad Peer IP Addr. and NATT Local Port=4500 and NATT Remote Port=4500

IPsec Tunnel Outbound V1 SA: Peer IP Addr=Netgear Public IP, Local Network=192.168.0.0/24 Remote Network:192.168.4.0/24 Port 1701, KBytes delivered 0, KBytes Left:0, Interface=PPP1

IPsec Tunnel Inbound V1 SA: Peer IP Address=Netgear Public IP, Local Network=192.168.0.0/24, Remote Network:192.168.4.0/24 Port 1701, KBytes Delivered=26, KBytes Left=0, Interface=PPP1

Is there a configuration I am missing that routes the packets for the remote network through the IPsec Tunnel?

Hi Tom,

If you have the IPsec SAs and the IKE SA up then you have are 99% there.

The trace does not show much. It is normal to see the packet go “out” on the PPP interface but then it gets encrypted and sent on.

To trace this correctly you want to turn off the PPP Interfaces - PPP 1 trace and trace the IP Sources - PPP 1 instead. Tick the box that says “Trace discarded packets” and put in an “IP addresses” filter in both the “IP Packet Filters” and “Discarded IP Packet Filters”. Put in “~192.168.4.203,x.x.x.x” where x is the public IP of the netgear.

You should see the packet leave on PPP and then see the encrypted packet leave. You should also see the same in reverse for the ping coming in.

Post that trace and let’s see.