D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: tecno13 on January 11, 2012, 03:16:27 AM
-
you excuse my scholastic English
I have a problem of routing among two VPNs I make sense of better me my dfl-800 with the inside lan 192.168.0.0 for two external VPNs is shaped for other two centers that correctly work type IPSEC I from the inside net see the single remote pc and vice versa everything ok now the problem is this it is possible from the net vpn1 to see the pc of the vpn2 making to make the routing to the dfl-800 as I have to proceed.
data
lan 1 dfl800 192.168.0.0/24 255.255.255.0
vpn1 lan ip 192.168.17.0/24 255.255.255.0
vpn2 lan ip 192.168.1.0/24 255.255.255.0
thanks
(http://www.nsgroup.it/uploadfiles/rete1.jpg)
-
You need to setup hub-and-spoke
Which device do you use at remote networks?
-
in the remote nets we use the AVM Fritz 7270 with the configuration as bottom:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "VPN1";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = XX.XXX.XXX.XX;
remote_virtualip = 0.0.0.0;
localid {
ipaddr = XX.XX.XX.XX;
}
remoteid {
ipaddr = XX.XXX.XXX.XX;
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "343434434344";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.17.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.0.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.0.0 255.255.255.0"; (I have also tried with any any)
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
obviously this is alone of a side but they is identical they change only the ip
from the dfl800 I quietly see all and two the nets but from the individuals I can see only the net of the dfl and not the other net I thought that with the dfl the routing could be made among the nets but I doesn't understand as
-
Use local/remote nets as 192.168.0.0/16 (it's maximum, you can make it less) and make Allow rule between IPsecs on DFL
-
don't I understand you it is wrong or done correct the use of 192.168.0.0/16?
-
IPsec has ACL concept - at the moment of establishment, both network devices "decide", which networks can pass thru tunnel. In base scenario (you've followed) it's lannets from both sides, but no one branch know about remote branch networks.
-
then if I have understood well I could obviously put the same class 192.168.0.0 to all the nets with different ip but for the gateways inside type vpn1 vpn2 thing I put?
because now I have this way:
lan 1 dfl800 192.168.0.0/24 255.255.255.0 gateway 192.168.0.1
vpn1 lan ip 192.168.17.0/24 255.255.255.0 gateway 192.168.17.1
vpn2 lan ip 192.168.1.0/24 255.255.255.0 gateway 192.168.1.1
would you make me an example?
-
On example of IPsec1 (with 192.168.17.0/24)
Main (192.168.0.1)
Local network = 192.168.0.0/16
Remote network = 192.168.17.0/24
Remote (192.168.17.1)
Local network = 192.168.17.0/24
Remote network = 192.168.0.0/16