Help with IPSEC

plucchetti · Wed May 07, 2008 2:50 pm

Hi,

I have an IPSEC concentrator working with remote LANs, all works fine but when I trying to reach from remote connection to another LAN outside the IPSEC Scheme (just routed LAN) can't obtain ping response. All networks are in mangle rules before masquerade, because all routers are working with NAT.
Only can be reach remote LAN from IPSEC concentrator, not from remote connections.

Any help please?

Thanks in advance,
Pablo

andrewluck · Wed May 07, 2008 4:50 pm

Are you excluding the IPSEC Lan to Lan traffic from NAT?

Are the routing tables correct?

Regards

Andrew

plucchetti · Wed May 07, 2008 6:16 pm

Are you excluding the IPSEC Lan to Lan traffic from NAT? I have all networks in firewall, for example:
chain=srcnat action=accept src-address=192.168.20.0/24

Are the routing tables correct?
I think it's ok because I can reach remote routed LAN from IPSEC Concentrator. I need to add something on remote ipsec clients?

Regards

Andrew

andrewluck · Thu May 08, 2008 4:26 pm

I have all networks in firewall, for example:
chain=srcnat action=accept src-address=192.168.20.0/24

This is probably incorrect. You will probably have a source nat rule that masquerades for the outside world. You require some additional rules before this one that excludes traffic bound for your IPSEC reachable LANs. These will have action=accept and you will need to specify the destination address.

e.g.

chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.111.0/24
chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.205 to-ports=0-65535 src-address=192.168.1.0/24 out-interface=Internet

In this example, the first rule excludes traffic bound for the remote LAN (192.168.111.0/24), the second rule nats everything else for the Internet, xxx.xxx.xxx.205 is one of my public IPs.

You need to think about routing end-to-end in both directions. Pick a remote destination address and for each client or router in the path, look at the routing table and ask yourself, 'where will this packet be sent next'. Once you get to the remote client successfully, repeat the process in the opposite direction.

Regards

Andrew

plucchetti · Thu May 08, 2008 5:16 pm

Andrew,

I have these rules on firewall/nat

add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.10.0/24 src-address=192.168.40.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.30.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=pppoe-out1 src-address=192.168.40.0/24
Did you mean must I use src-nat instead of masquerade?

IPSEC Concentrator have an 192.168.10.4 ip lan, but network 192.168.30.0/24 is unreachable from 192.168.40.0/24 network.

Regards,
Pablo

andrewluck · Thu May 08, 2008 8:11 pm

That looks OK to me. Don't forget that you need equivalent rules on the other ends of the link. After that, check that the traffic is hitting the relevant IPSEC policy.

Masquerade should work. I tend to avoid using it though and prefer to manually specify source nat rules.

Regards

Andrew

plucchetti · Fri May 09, 2008 4:01 pm

No way Andrew...
Can't ping from between networks 192.168.30.xxx, 192.168.40.xxx, 192.168.20.xxx or 192.168.21.xxx when the tunnel is up.\
Here is the networks schema.
Another idea?

Thanks for you help.
Pablo

plucchetti · Sat May 10, 2008 1:03 am

Missing policy to encrypt traffic through IPSEC Concentrator from 192.168.40.0/24 to 192.168.30.0/24 network.

Thanks

andrewluck · Sat May 10, 2008 10:56 am

Pablo

Glad to help.

Kind regards

Andrew

Help with IPSEC

Help with IPSEC

Re: Help with IPSEC

Re: Help with IPSEC

Re: Help with IPSEC

Re: Help with IPSEC

Re: Help with IPSEC

Re: Help with IPSEC

Re: Help with IPSEC - SOLVED

Re: Help with IPSEC

Who is online