Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[timberline1]

Hello,

this has been driving me up the wall and hopefully someone can help me.

my network:
xxx.xxx.30.0/24 - lan_net
xxx.xxx.30.1 - lan_ip

location a
location b
location c

so, what i want is for my network to ipsec vpn to location a,b,& c over the dmz port and all regular net work traffic to pass over the lan port and all regular internet traffic to be directed to the wan port.


why? you ask.

because i have 3 modems. 2 of which are for our internet use and are passed thru a wan aggregator. the 3rd modem is supposed to be strictly for VPN traffic only.

you can see a drawing of what i mean here:
http://www.flickr.com/photos/37679421@N08/3836582949/

i tried to post the picture but for somereason it wouldnt work.

if anyone can help me that would be awesome.

[Fatman]

The easy anwser is to add a route like the below, the key is that it should have a lower metric than your other routes which could apply for the VPN_GW.

Interface     Network     Gateway     Metric
DMZ           VPN_GW     DMZ_GW     90

I like this answer because then you can also have your VPN fail over in case of ISP failure on the DMZ, that is assuming you turn on route monitoring.

[timberline1]

The easy anwser is to add a route like the below, the key is that it should have a lower metric than your other routes which could apply for the VPN_GW.

Interface     Network     Gateway     Metric
DMZ           VPN_GW     DMZ_GW     90

I like this answer because then you can also have your VPN fail over in case of ISP failure on the DMZ, that is assuming you turn on route monitoring.

im sorry i dont know if i am just being thick, but apparently i dont understand because that is not working for me.
does there also have to be particular rules set up for this route?and if so how do i set them up.
lets  assume i am starting from a fresh install.


xxx.xxx.30.0/24 - lan_net
xxx.xxx.30.1 - lan_ip

xxx.xxx.190.226 - dmz_ip (public ip)
xxx.xxx.190.225 – dmz_gw (modem for vpn traffic to pass over, directly plugged into dmz)

(all public ips at other locations)
location a gw – xxx.xxx.172.34
location b gw – xxx.xxx.196.56
location c gw – xxx.xxx.12.87

so you are saying create a static route (not switch route) that looks like this

interface   network      gateway   metric
dmz      location a gw      dmz_gw   90

with no rules?

This setup didn’t work for me which is why I am sure I am misunderstanding you.

[Fatman]

That is the route I was referring to, though my first suspicion would be that you have some more varied metrics on your routing table than I knew about and that may be your issue.

What does your full routing table look like?

The method I prescribed avoided writing routing rules by making the one table sufficient, there is another method using a second routing table and routing rules, but for this scenario I don't think it is necessary.

Did you drop any existing SAs?

[timberline1]

That is the route I was referring to, though my first suspicion would be that you have some more varied metrics on your routing table than I knew about and that may be your issue.

What does your full routing table look like?

The method I prescribed avoided writing routing rules by making the one table sufficient, there is another method using a second routing table and routing rules, but for this scenario I don't think it is necessary.

Did you drop any existing SAs?

Type        Interface     Network  Gateway    Metric 

  Route     wan        wannet           100   
  Route     wan        all-nets  wan_gw    100   
  Route     lan        lannet           100   
  Route     CCTT        cctt_net        90   
  Route     CORP        Corp_net        90   
  Route     ANNEX        Annex_net dmz-GW    80      
  Route     CORP        Corp_net  dmz_ip    0   
  Route     dmz        Annex_ip  dmz-GW    80      
  Switch    Route  dmz     Annex_net        0       

SA? not sure what you mean   

[Fatman]

This is the routing table you have.

Number   Type         Interface   Network      Gateway   Metric
1      Route         wan      wannet            100
2      Route         wan      all-nets      wan_gw   100
3      Route         lan      lannet            100
4      Route         CCTT      cctt_net            90
5      Route         CORP      Corp_net            90
6      Route         ANNEX   Annex_net      dmz-GW   80
7      Route         CORP      Corp_net      dmz_ip   0
8      Route         dmz      Annex_ip      dmz-GW   80
9      Switch Route   dmz      Annex_net            0

I am assuming that CCTT, CORP, and ANNEX are all VPNs.

Furthermore I am assuming that Annex_ip is the public IP that you are dialing the ANNEX VPN to, and that there will be similarly nammed cctt_ip and corp_ip objects.

This is the routing table you want.

Number   Type      Interface   Network      Gateway   Metric
1      Route      wan      wannet            100
2      Route      wan      all-nets      wan_gw   100
3      Route      lan      lannet            100
4      Route      dmz      dmznet            100
5      Route      CCTT      cctt_net            90
6      Route      CORP      Corp_net            90
7      Route      ANNEX   Annex_net            90
8      Route      dmz      cctt_ip      dmz-GW   80
9      Route      dmz      corp_ip      dmz-GW   80
10      Route      dmz      Annex_ip      dmz-GW   80

As for dropping SAs, you do that by visiting Status->IPsec->List all IPsec SAs and clicking the red X next to the SA.

In the future give me your routing table from Status->Routes, it will be in the order I need to see and contain numbers instead of names.

What was the goal of the switch route?

[timberline1]

ok.. as i will not be able to try this out till early tomorrow morning i want to make sure i have all the steps correct.

dfl-210
lan port to lan
wan port to wan aggregator (contains 2 modems for internet traffic only)
dmz port to modem (for vpn traffic only)

add routes
Route      dmz      cctt_ip       dmz-GW   80
Route      dmz      corp_ip       dmz-GW   80
Route      dmz      Annex_ip     dmz-GW   80

clear all SA's

save and activate.

i shouldnt need to add anymore rules or arps or anything, correct?

as for the switch route, i was trying something someone else suggested.

[Fatman]

Also ensure you have a route for the DMZ interface.

Clear the SAs after you save and activate.

[timberline1]

so i made all the changes and it gets up and running but after about 5-10mins it drops all of the ipsecs with this error in the log:

       
Severity      Category/ID      Rule                          Src/DstIf            Src/DstIP Src/DstPort             
Warning      ARP/300049      Default_Access_Rule     dmz                   xxx.xxx.xxx.225/xxx.xxx.xxx.226 

Event/Action
invalid_arp_sender_ip_address drop

xxx.xxx.xxx.225 = DMZ_GW (modem public IP)
xxx.xxx.xxx.226 = DMZ_IP (router public IP)

[timberline1]

yeah this is driving me crazy. i cant keep the ipsecs connected for longer than 10mins. any ideas what invalid_arp_sender_ip_address means? it shows the correct addresses....

[Fatman]

Either show us all or just me via PM the values you have set for DMZ_IP DMZ_Net and DMZ_GW.  That log entry means that the IP specified should not exist on that interface.  The most usual cause of this is WAN connections where the GW is technically on a different network (due to typo or other problems) but the WAN network is able to compensate.

[timberline1]

sending PM now...

[timberline1]

yupp that did it. i set up an access rule for the dmz-gw on the dmz and BAMF! it is has been running strong for about 40mins now. i will continue to keep an eye on it for the next few days.

thank you very much.

[Fatman]

Very Cool!