Page 1 of 1
Help with IPSEC
Posted: Wed May 07, 2008 2:50 pm
by plucchetti
Hi,
I have an IPSEC concentrator working with remote LANs, all works fine but when I trying to reach from remote connection to another LAN outside the IPSEC Scheme (just routed LAN) can't obtain ping response. All networks are in mangle rules before masquerade, because all routers are working with NAT.
Only can be reach remote LAN from IPSEC concentrator, not from remote connections.
Any help please?
Thanks in advance,
Pablo
Re: Help with IPSEC
Posted: Wed May 07, 2008 4:50 pm
by andrewluck
Are you excluding the IPSEC Lan to Lan traffic from NAT?
Are the routing tables correct?
Regards
Andrew
Re: Help with IPSEC
Posted: Wed May 07, 2008 6:16 pm
by plucchetti
Are you excluding the IPSEC Lan to Lan traffic from NAT? I have all networks in firewall, for example:
chain=srcnat action=accept src-address=192.168.20.0/24
Are the routing tables correct?
I think it's ok because I can reach remote routed LAN from IPSEC Concentrator. I need to add something on remote ipsec clients?
Regards
Andrew
Re: Help with IPSEC
Posted: Thu May 08, 2008 4:26 pm
by andrewluck
I have all networks in firewall, for example:
chain=srcnat action=accept src-address=192.168.20.0/24
This is probably incorrect. You will probably have a source nat rule that masquerades for the outside world. You require some additional rules before this one that excludes traffic bound for your IPSEC reachable LANs. These will have action=accept and you will need to specify the destination address.
e.g.
chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.111.0/24
chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.205 to-ports=0-65535 src-address=192.168.1.0/24 out-interface=Internet
In this example, the first rule excludes traffic bound for the remote LAN (192.168.111.0/24), the second rule nats everything else for the Internet, xxx.xxx.xxx.205 is one of my public IPs.
You need to think about routing end-to-end in both directions. Pick a remote destination address and for each client or router in the path, look at the routing table and ask yourself, 'where will this packet be sent next'. Once you get to the remote client successfully, repeat the process in the opposite direction.
Regards
Andrew
Re: Help with IPSEC
Posted: Thu May 08, 2008 5:16 pm
by plucchetti
Andrew,
I have these rules on firewall/nat
add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.10.0/24 src-address=192.168.40.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.30.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=pppoe-out1 src-address=192.168.40.0/24
Did you mean must I use src-nat instead of masquerade?
IPSEC Concentrator have an 192.168.10.4 ip lan, but network 192.168.30.0/24 is unreachable from 192.168.40.0/24 network.
Regards,
Pablo
Re: Help with IPSEC
Posted: Thu May 08, 2008 8:11 pm
by andrewluck
That looks OK to me. Don't forget that you need equivalent rules on the other ends of the link. After that, check that the traffic is hitting the relevant IPSEC policy.
Masquerade should work. I tend to avoid using it though and prefer to manually specify source nat rules.
Regards
Andrew
Re: Help with IPSEC
Posted: Fri May 09, 2008 4:01 pm
by plucchetti
No way Andrew...
Can't ping from between networks 192.168.30.xxx, 192.168.40.xxx, 192.168.20.xxx or 192.168.21.xxx when the tunnel is up.\
Here is the networks schema.
Another idea?
Thanks for you help.
Pablo
Re: Help with IPSEC - SOLVED
Posted: Sat May 10, 2008 1:03 am
by plucchetti
Missing policy to encrypt traffic through IPSEC Concentrator from 192.168.40.0/24 to 192.168.30.0/24 network.
Thanks
Re: Help with IPSEC
Posted: Sat May 10, 2008 10:56 am
by andrewluck
Pablo
Glad to help.
Kind regards
Andrew