Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[obbelix]

Hi,

I'm trying to set up a IPSEC VPN between two locations where the "head office" has multiple VLANs but I cannot get it to work.
The tunnel is up but I can only get traffic one way.
This is the setup:

Location 1, Head office, DFL-800, static external IP:
LAN ip: 192.168.10.1 (DFL IP)
LAN net: 192.168.10.0/24
VLAN 1 net: 192.168.11.0/24
Made an IP4 group containing the LAN and VLAN nets called LAN_VLAN_net
Lan is on the LAN interface, VLAN1 is on the DMZ interface

Location 2, DFL-210, dynamic external IP:
LAN ip: 192.168.20.1 (DFL IP)
LAN net: 192.168.20.0/24
Made an IP4 group containing the location 1 LAN and VLAN nets called remote_net

IPSec settings Location 1:
Local network: LAN_VLAN_net
Remote network: 192.168.20.0/24
Remote endpoint: all-nets
Encapsulation mode: Tunnel
IKE & IPSec Algorithms: High
Authentication: Pre-Shared Key
IKE settings: main, DH group 2
PFS: PFS, DH group 2

IPSec settings Location 2:
Local network: 192.168.20.0/24
Remote network: remote_net
Remote endpoint: location 1 external ip
Encapsulation mode: Tunnel
IKE & IPSec Algorithms: High
Authentication: Pre-Shared Key
IKE settings: main, DH group 2
PFS: PFS, DH group 2

Rules location 1:
to_loaction2:
Action: Allow
Source IF: group of LAN and VLAN 1
Source net: LAN_VLAN_net
Dest. IF: location2
Dest net: 192.168.20.0/24

from_loaction2:
Action: Allow
Source IF: location2
Source net: 192.168.20.0/24
Dest. IF: group of LAN and VLAN 1
Dest net: LAN_VLAN_net

Rules location 2:
to_loaction1:
Action: Allow
Source IF: LAN
Source net: LAN net
Dest. IF: location1 (IPSec)
Dest net: remote_net

from_loaction1:
Action: Allow
Source IF: location1
Source net: remote_net
Dest. IF: LAN
Dest net: LAN net

Under IPSec status on both DFL I can se two active tunnels, one per net (192.168.10.0/24, 192.168.11.0/24).
I can ping the 210 from the 800 but I cannot access anything from the 210 that is behind the 800.

What am I doing wrong?

[chechito]

about the rules i think this will be the way?


RULES LOCATION 1

to_loaction2:
Action: Allow
Source IF: group of LAN and VLAN 1
Source net: LAN_VLAN_net
Dest. IF: NAME OF IPSEC TUNNEL INTERFACE ON DFL 800
Dest net: 192.168.20.0/24

from_loaction2:
Action: Allow
Source IF: NAME OF IPSEC TUNNEL INTERFACE ON DFL 800
Source net: 192.168.20.0/24
Dest. IF: group of LAN and VLAN 1
Dest net: LAN_VLAN_net

RULES LOCATION 2

to_loaction1:
Action: Allow
Source IF: LAN
Source net: LAN net
Dest. IF: NAME OF IPSEC TUNNEL INTERFACE ON DFL 210
Dest net: remote_net

from_loaction1:
Action: Allow
Source IF: NAME OF IPSEC TUNNEL INTERFACE ON DFL 800
Source net: remote_net
Dest. IF: LAN
Dest net: LAN net

OK

In the active routes you see the route to the remote network using ipsec tunnel interface on boot locations???

if not you will use the automatic route creation on ipsec tunne interface setting or set manually a route  on both routers

[obbelix]

The rules has already the "name of the IPSec tunnel", a bit bad explanation from my side...

According the routes, they are automatic and I can see them in routing list with metric 90.

I cannot see in the log that something is blocked.

[chechito]

the setup works with only lan in the schema ? letting out vlan interface ?

maybe a good start to diagnose the problem its see a setup working test it and see and go adding things and see when start to fail

[obbelix]

I have found the error...
It was in an existing rule in the 800 where the "lan net" was assigned as 192.168.0.0/16. It should have been 192.168.10.0/23.

I also changed the IPSec setting, so instead of having a group of two nets I just created one "address" with 192.168.10.0/23 which is the same as 192.168.10.0->192.168.11.254

[danilovav]

You can use IP address group (lan_net + vlan_net) in IPsec params. It's more simple for understaning. But, don't forget make changes on both sides and make additional routing if you don't use auto routing.