I have an issue with accessing a specific host through an IPSec tunnel.
I have 2 Lan (a remote Lan and an office Lan) connected through an IPSec tunnel over Internet. The tunnel works fine and I can access some ressources of the remote Lan from the office Lan (web page, remote desktop, ping…)
However I have an issue with one of them that works fine when connected locally but doesn’t work through the tunnel. The host is a IEC 61850 server that provide a data stream (real time production data from windturbines). I can access it with my client if connected locally but it won’t work with the very same client through the IPSec tunnel.
Unfortunately I have no access to the IEC server and its configuration.
In the remote Lan router I can see that the client tries to establish a TCP connection because in „/IP firewall connections” a line popup with the syn sent TCP status. But the request doesn’t get answered and the connection request times out
I thougt it could be a gateway problem (the gateway of the server is wrongly configured) but I added a source nat rule on the traffic coming from the tunnel to the remote LAN.
Do you think of any direction I should look to find a solution ? I read some things about MTU and ICMP blackholes. Could that be the problem ?
Unfortunately I have access the server using the client but nothing else
* is there any firewall on that server? Is it filtering local traffic only?
There maybe is a firewall I cannot check
Since I have a source nat configured on the trafic coming from the tunnel to the remote Lan, the source address the server will see when receiving a request from the tunnel is the local address of my router which looks like any other local addres. So in my understanding the server shouldn’t even be able to detect that it is a remote access.
Could the server detects that the request is not a local request using any other information than the source addres ?
* not set / wrong default gateway at the server?
The server has the wrong gateway but I cannot change it. The source nat on the trafic from the tunnel to the Lan should solve this problem and I understand it does since the pings are coming back
Don’t know what protocol is being used. It may be on top of tcp, but still have some application specific level parameters transmitted within tcp payload. These will not be corrected by src-nat-ing…
Do you know how the client is connecting to server? Record with wireshark maybe… so that you can determine if any other protocols are at play. Or maybe documentation of protocol?
It’s hard to fix unknowing the cause…
