Topic: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210) (Read 14573 times)

bandit69 · « **on:** September 06, 2012, 06:31:00 AM »

Hi Guys,
Help is urgently needed again. I am trying to setup a LAN to LAN IPSEC Tunnel between a DFL-1600 based LAN and a DFL-210 LAN. Here is the setup:
DFL-1600: LAN NET: 172.16.0.0/23; WAN IP:196.37.79.228
DFL-210: LAN NET: 172.16.3.0/24; WAN IP: 196.37.79.236
I have created all the required interfaces, authentication objects, and rules at both ends but I keep seeing this error in the logs:
Severity: Warning
Category/ID: RULE
6000051
Rule : Default_Access_Rule
Proto: UDP
Src/DstIf: VPN
Src/DstIP: 196.37.79.228
196.37.79.236
Src/DstPort: 500
500
Event/Action: ruleset_drop_packet
drop

Thanks

chechito · « **Reply #1 on:** September 07, 2012, 08:41:01 AM »

in logs looks like remote firewall ip address its already on some local interface of the local firewall, default access rule refers to that

danilovav · « **Reply #2 on:** September 08, 2012, 11:15:31 AM »

Check about setting Interfaces > IPsec > Advanced settings > IPsec before rules - it should be enabled

Also, try to ping between DFL's - is it working or not?

bandit69 · « **Reply #3 on:** September 10, 2012, 10:41:31 AM »

Hi Chechito,
I never thought of that. Would check and let others know.

Hi Alex,
Funny now that you have mentioned it, I can ping the DFL-1600 (196.37.79.23x) from the DFL-210 (196.37.79.22x) and not the other way around i.e. the DFL-1600 cannot ping the DFL-210. In fact I cannot reach any device on the DFL-210 subnet. This is baffling because everything is allowed to go to that subnet. What do you think could be the culprit? Also the IPSec before Rules is enabled. Thanks

danilovav · « **Reply #4 on:** September 10, 2012, 02:20:26 PM »

Do you have multi-WAN configuration on DFL-1660?
Plz show Status > Routes > main

bandit69 · « **Reply #5 on:** September 24, 2012, 11:07:42 AM »

Hi Guys,
Sorry for the late response. I had a very hectic week before now dealing with all sorts of issues. I finally resolved the issue of not being able to ping 1600 from the 200. it was because I did not define my route properly. I was meant to use core as the interface and not WAN1 on the DFL because I was going out on a VLAN and not the WAN.
Also the Default_Access_Rule 6000051 was because I defined two subnet address for my HQ LAN on the DFL 210 at the branch and was not using the first one created when defining my routes on the Main Routing table.
Thanks so much for all the help. My question now is WHY DO I NEED TO KEEP MOVING MY SAT and NAT rules to the top of my Rules Table for them to work especially after re-starting the servers am publishing?

?

This is a big HEADACHE!!!!!!

chechito · « **Reply #6 on:** September 24, 2012, 02:30:19 PM »

ordering issues in ip rule set are likely caused by indiscriminate

use of interface any and/or all-nets objects.

Remember, ip rule set its evaluated from top to bottom until a match its found.

bandit69 · « **Reply #7 on:** September 26, 2012, 03:43:03 AM »

Hi Chechito,
I think you are right. I would look into this. Thanks

D-Link Forums

News:

Author Topic: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210) (Read 14573 times)

bandit69

IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210)

chechito

Re: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210)

danilovav

Re: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210)

bandit69

Re: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210)

danilovav

Re: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210)

bandit69

Re: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210)

chechito

Re: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210)

bandit69

Re: IPSec VLAN LAN-LAN Tunnel isues (DFL1600--DFL210)