D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: chechito on December 02, 2010, 11:05:31 AM
-
i have a dfl 800 with latest firmware
IPSEC VPN works fine on wan 1 interface
Published services work fine in wan 1 and wan 2 interfaces.
Firewall its manageable by wan 1 and wan 2 ok
Outbound traffic its splitted nicely between wan 1 and wan 2 interfaces according to policies established an PBR.
My problem is that IPSEC des not works on wan 2 interface y dont have any logs on firewall.
How to make work ipsec vpn in multiple interfaces???
-
I have almost the same issue but a little difference in the config.
I have 2 internet access and using dynamic outbound load balancing on both internet access unsing destination algorithm.
main default route is pppoe1 with lower metric and monitor on both interface (pppoe1 and pppoe2)
my issue is that roaming user with ipsec client cannot access to network via wan1 interface but only via wan2.
my routing table are as follow:
main : lan lannet, dmz dmznet wan wannet all with metric 100
pppoe1 all-nets metric 95 pppoe all-nets metric 96 both monitored.
pbr : lan lannet, dmz dmznet wan wannet all with metric 100
pppoe2 all-nets 95
routing rules is forward chain main, return chain pbr, all-services, any all-nets core pppoe2ip
with this configuration I cannot force ipsec roaming users to connect to lannet via pppoe1
Any idea will be appreciated
-
Hi,
I know that topic is quite old, but does anybody know the solution for this?
I found at clavister forum (clavister and dlink has the same/very similar firmware?) post about this isue:
https://forums.clavister.com/viewtopic.php?f=8&t=3934 (https://forums.clavister.com/viewtopic.php?f=8&t=3934)
Does anybody get it working with DFL ?
-
same issue here with dfl 800 210 and 260
i have to use wan 1 using ipsec and wan 2 using pptp but cannot do ipsec by wan 1 and wan 2 at the same time.
The only way to change this was changing main routing table and reboot the device and can change the ipsec to wan 2 but unusable by wan 1
-
If really, it's very simple
First, make static routes for each IPsec remove endpoint thru corresponding WAN interface
Keep default route for one of WANs into "main" routing table
Then, make routing table "alt_wan1" with type "only"
Add into it route all-nets wan1 wan1_gw 100 (gw - if necessary)
Make PBR wan1/all-nets any/all-nets, forward main, return alt_wan1
Do the same for wan2
By this way, DFL will process incoming connections from each wan interface without default route in main table
-
danilovav: Could You write a little bit more ?
Have You tested this ?
BTW. Is it possible to have multiply l2tp Servers ?
First server listening on wan1_ip1 and wan2_ip1,
Second listening on wan1_ip2 and wan2_ip2.
I'm asking because I want to have 2 different VPN user groups with different lan access.
Example: VPNUsers have access to LAN ftp and www servers, VPNUsers2 access to mailserver.
I tried to set up:
Interfaces->ipesc->ipsec1:
Local net=wan1_ip1
Interfaces->ipesc->ipsec2:
Local net=wan1_ip2
Interfaces->pptp/l2tp servers->server1:
outer server ip=wan1_ip1
Interfaces->pptp/l2tp servers->server2:
outer server ip=wan1_ip2
But I can connect only to server1 :((ikesnoop -on -verbose). I can ping from outside both wan1_ip1 and wan1_ip2.
My wan1 interface is:
interfaces->ethernet->wan1->ip address = wan1_ip1
Navi
-
>Could You write a little bit more ?
What do you want to know more? As fact it's solution for processing of incoming packets from each wan interface separately
>Have You tested this ?
Yes, i use this logic in almost all multi-wan cases
>Is it possible to have multiply l2tp Servers ?
Yes, you can specify listen address on PPP server and terminator IP under user auth rule
>I'm asking because I want to have 2 different VPN user groups with different lan access
Your way is possible
But you can assign address for each user statically and make IP rules on the base of user groups (source address)
>But I can connect only to server1
Show Status >Routes
-
Show Status >Routes
Main table:
D XXX.XXX.199.137 wan1 80
D XXX.XXX.199.141 dmz 80
YYY.YYY.165.26 core (Iface IP) 0
YYY.YYY.165.27 core (Iface IP) 0
YYY.YYY.165.28 VLANDMZWAN2 0
YYY.YYY.165.29 core (Iface IP) 0
XXX.XXX.199.138 core (Iface IP) 0
XXX.XXX.199.139 core (Iface IP) 0
XXX.XXX.199.142 core (Iface IP) 0
192.168.100.10 core (Iface IP) 0
10.24.76.10 core (Iface IP) 0
127.0.0.1 core (Iface IP) 0
XXX.XXX.199.140 dmz 60
XXX.XXX.199.136/29 switched 80
192.168.100.0/24 VLanWiFi 100
10.24.76.0/22 lan 100
224.0.0.0/4 core (Iface IP) 0
M 0.0.0.0/0 wan1 XXX.XXX.199.137 80
0.0.0.0/0 wan2 YYY.YYY.165.25 90
Wan2ReturnTraffic table(ordering First):
0.0.0.0/0 wan2 YYY.YYY.165.25 60
I have routing rule:
ReturnRouteWan2 wan2/all-nets any/all-nets all_services
>I'm asking because I want to have 2 different VPN user groups with different lan access
Your way is possible
But you can assign address for each user statically and make IP rules on the base of user groups (source address)
But I want to have one static user db and second radius. So I have to use two seperate servers.
>Could You write a little bit more ?
What do you want to know more? As fact it's solution for processing of incoming packets from each wan interface separately
So in my case there would be 3 routing tables? Main +Returnwan2(only) +returnwan1(only) ??
-
>Show Status >Routes
Bewteen what interfaces do you use transparent mode?
>Wan2ReturnTraffic table(ordering First):
Change to "only"
>I have routing rule:
Forward routing table - main, return alt?
>But I want to have one static user db and second radius. So I have to use two seperate servers.
Yes, in this case you need to configure additional servers
As result, 4 - 2 for each interface
>So in my case there would be 3 routing tables? Main +Returnwan2(only) +returnwan1(only) ??
It's ideal case. But your configuration is also possible
-
>Show Status >Routes
>Bewteen what interfaces do you use transparent mode?
Wan1 and DMZ. I will try later to do the same with wan2 and dmzvlan to provide
full link backup to servers in DMZ.
>Forward routing table - main, return alt?
Yes - forward main, return Wan2ReturnTraffic
>Yes, in this case you need to configure additional servers
>As result, 4 - 2 for each interface
Reasonable.
I will try configuring 3 routing tables and post results.
-
danilovav: are You using DFL-800 with latest firmware 2.27.03.25-14780?
Setting up 2 l2tp servers is impossible.
First: DFL-800 is not listening on second wan1 public ip address(ARP published, core route) when it's setup as listen address on l2tp server.
I'm mapping one port using second wan1 public ip(SAT+NAT rule), so dfl is reachable with second ip from internet for sure.
Second: When 2 interface->ipesc tunnels are set up(for different l2tp servers) with different PSK,
l2tp server is always expecting PSK from first in configured ipsec tunnels list, even if outer interface of l2tp server is set up with second in configured ipsec tunnels list.
-
>are You using DFL-800 with latest firmware 2.27.03.25-14780?
Yes
>Setting up 2 l2tp servers is impossible.
L2TP is possible, but L2TP over IPsec - not possible because IPsec can't be processed thru additional IP
For that case, use PPTP