• May 05, 2025, 11:47:09 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: [SOLVED] NO TRAFFIC IN THE TUNNEL VPN IPSec  (Read 10384 times)

asalsido

  • Level 1 Member
  • *
  • Posts: 12
[SOLVED] NO TRAFFIC IN THE TUNNEL VPN IPSec
« on: July 28, 2010, 05:46:49 AM »
[in spanish]
ENGLISH HERE: http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fforums.dlink.com%2Findex.php%3Ftopic%3D14259.0&lp=es_en&btnTrUrl=Translate

Tengo una configuración IPSEC para clientes de software (TheGreenBow) sobre el firewall DFL-860 y funciona bien. Se crea el túnel y hay comunicación en ambos sentidos. Todo ok!

Pero he configurado una VPN IPSEC entre dos oficinas y se crea el tunel pero no hay comunicación entre ellas.

La configuración es la siguiente:

  • Oficina A: LAN -->  DFL-860 (en modo transparente) --> ROUTER ISP
  • Oficina B: LAN -->  DI-804HV  --> ROUTER ISP (en modo Bridged)

He seguido este manual (en ruso pero con capturas de pantalla en inglés) para la configuración VPN IPSEC -->  http://dlink.ru/ru/faq/92/520.html

Estas son las reglas que he creado para el tráfico:


En el router DI-804HV tengo dudas en los campos:
- IPSec NAT Traversal  (Sí o No?)
- Remote ID  ?
- Local ID   ?


En el DFL-860 tengo las dudas:
- Allow DHCP over IPsec from single-host clients  (Sí o No?)
- Dynamically add route to the remote network when a tunnel is established (Sí o No?)

- (Advanced tab)  Add route for remote network  (Sí o No?)


El túnel aparentemente se crea.



Si envío un Ping desde Oficina A a Oficina B no obtengo respuesta.


En Status/Connections obtengo:
State  - Proto    -     Source          -       Destination          -     Timeout

PING     ICMP     core:192.168.0.1:58289    EJIDO_TUNEL:192.168.1.1:58289     3


Un escaneo con Nmap para descubrir equipos en la red (Ping) tampoco da resultado. Sólo encuentra un cliente conectado mediante el cliente de software TheGreenBow.


Alguien sabe qué puede estar pasando?

Muchas gracias por el tiempo dedicado.
Víctor.
« Last Edit: July 30, 2010, 03:24:55 AM by asalsido »
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: NO TRAFFIC IN THE TUNNEL VPN IPSec
« Reply #1 on: July 28, 2010, 08:51:38 AM »
To answer your questions first.

Generally the settings in question in the DFL-800 are correct, and I don't know of any reason they wouldn't work.

As for your DI-804HV, leave your IDs at auto, and the NAT-T setting needs to match your DFL.

Do you get logs of failed traffic on either side?

Can either of your firewalls ping across the tunnel themselves?
Logged
non progredi est regredi

asalsido

  • Level 1 Member
  • *
  • Posts: 12
Re: NO TRAFFIC IN THE TUNNEL VPN IPSec
« Reply #2 on: July 29, 2010, 02:18:34 AM »
Thanks for your reply!

NAT-T in DFL800 is in "On if supported and NATed" and now in DI804HV is "IPSec NAT Traversal: ENABLED".

Routers do pings between themself using publics IPs but no with LAN IPs


I sent some Pings from 192.168.0.11 to 192.168.1.1 and got the following log:

VPN broken? and then restarts...

More pings and more attempts to login VNC


These are the routing tables:


Connections logs trying to do Ping and to login using VNC


Any ideas?
Thanks so much!
Víctor.
« Last Edit: July 29, 2010, 03:53:59 AM by asalsido »
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: NO TRAFFIC IN THE TUNNEL VPN IPSec
« Reply #3 on: July 29, 2010, 08:16:51 AM »
Why do you have a switch route for your WAN_Net route?

NAT-T does not appear to be doing you any favours given the amount of UDP/4500 in your logs.  Run a test without it, it may be a red herring, (and it may even be necessary if you have GreenBow clients,) but I would like to know where we stand without it.
Logged
non progredi est regredi

asalsido

  • Level 1 Member
  • *
  • Posts: 12
Re: NO TRAFFIC IN THE TUNNEL VPN IPSec
« Reply #4 on: July 30, 2010, 03:24:10 AM »
Now it works!


I updated the firmware of the DI-804HV to the latest version and have enabled the "IPSec NAT Traversal"


The problem was that the DI-804HV router does not work with Firewalls DFL. After upgrading the router the VPN works!

Look at this: ftp://www.dlinkla.com/pub/drivers/DI-804HV/FIRMWARE_DI-804HV_V1.51.bin.txt

Quote
1. Removes ?BigPond? of WAN connection type.
2. Changed ?Dynamic IP? default value from ?Disable? to ?Auto-reconnect? mode.
3. Fixed MPPE Encryption mode of PPTP/L2TP issue.
4. Fixed the DHCP function cannot get IP by DHCP Relay.
5. Improved PPTP/L2TP features.
6. Changed NAT block log into Dropped Packets categorization.
7. Fixed Dynamic Routing issue.
8. Fixed send big file by web-mail when URL filter function enable.
9. Improved Time zone options
10. Enhanced Remote Manage feature.
11. Fixed IPSec NAT-Traversal keep-alive issue.
12. Fixed IPSec PFS to cause VPN tunnel cannot set up with DFL device.
13. Removes the ?Interface? option from the static routing feature.
14. Fixed Device Info of Status show wrong information.
15. Added URL Blocking characters number from 30 to 50.
16. Added Domain Blocking characters number from 30 to 45.
17. Device request NTP server every 10 seconds.
18. Enhanced IGMP function through Dual Access PPTP/PPPoE connection.
19. Support PPTP/L2TP MPPE 128bit
20. Fixed ISDN Backup line issue.
21. Enhanced X-Authentication of IPSec feature.
22. Support 10 user profiles for PPTP, L2TP and L2TP over IPSec.
23. Support 30 profiles for IPSec tunnel.
24. Support Static DHCP feature and 25 profiles.
25. Support 25 profiles for Virtual Server.

Thanks so much for the support!
Víctor.
Logged