Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[juanjo]

Hi:

Can anybody help me?

I have created one IPSec lan-to-lan VPN between two DFL-210 using the D'Link configuration example "Virtual private network using an IPsec lan-to-lan tunnel". The tunnel is established right (apparently). I can see it in Status->IPSec option under the DFL web interface.

But it's strange that i can not to do ping to any of the hosts. The remote network is unreachable.
Configuration schema for both ends are the same:

1.-Router ADSL which is "NAT-ing" traffic from internet to local network. Port UDP 500 opened to wan interface of the DFL-210
2.-Firewall working in "Transparent Mode"
3.-Local network

The IPSec interface is configured as in the configuration example, but i have included the option "NAT Transversal" to OFF in the IKE settings, because some times the tunnel is not created because 4500 port forwaring.

It's very strange also that some times the "Nat Transversal" option of IKE settings configured to "On if supported and NATed" works    , and for example, at this moment no work  . All of this without "touch" nothing  . I don't understand.

¿What is wrong?
Thanks in advance
Juanjo

I have made new configurations, with better response; I have opened NAT-T port (4500) for each router and NAT Transversal option of IKE settings configured to "ON if supported" and now the connections seems right and stables.

The unique problem now is that node A can ping to node B, but node B can't ping to node A.


¿Any help ?

[danilovav]

What is gateway for your network - ADSL modem or DFL?

IMHO, change your modem to bridge and assign public IP to DFL - it will free you from NAT-related problems.
Also, DFL should be default gw for network.

[juanjo]

What is gateway for your network - ADSL modem or DFL?

IMHO, change your modem to bridge and assign public IP to DFL - it will free you from NAT-related problems.
Also, DFL should be default gw for network.

Hi, thanks for response.

In fact danilovav, you're right. At this moment the "ADSL Router" is running as "modem-router" rather than "modem-bridge". I can configure the router as "modem-bridge" and leave all the work to the DFL-210 avoiding NAT problems.

But, it's strange that with actual configurations i have ping problems (all problems) with only one end, the other end works fine. Now the routers are running as "modem-router" and they have opened ports UDP-500 and UDP-4500 forwaring to the DFL wan-ip. Same configuration for both; the VPN tunnel works fine, fine, fine, but only i can work from one end.

This is for now the unique problem, because the VPN tunnel is running with preshared key, and i have problems with certificates also.

[juanjo]

Following with my problem, i can't see why is impossible to ping from the remote end point to the local end point.

Any ideas ??

Another question

I have 3 end points A, B and C

ipsec "lan to lan" A to C

if i create other ipsec lan to lan to connect B to C:

Can computers A and B to do ping between them ?

[juanjo]

Hi:

Ok, for the moment i found the problem.

As you have readed in older posts, mi lan schema is built on one modem-adsl router and one firewall, for each office.

I have not seen any documents related to this configuration in "how to's". There are very much people using this technology and very much using cable-modem-router, and others using modem connected to one router. Well, no matter.

The main problem is that one workstation is using Windows 7 and Windows 7 firewall detects pings inbounds from outside the local network. For this reason i can't ping to the workstation, ando i can't to do ping and very much other things. If i disable Windows 7 firewall all works fine, fine.

So in little bit words, if any body wants to build IPSec Lan to Lan between two offices and the schema is modem-router connected to DFL-210 firewall working in transparent mode, must open UPD ports 500 and 4500 forwared to firewall wan interface, and  "Nat Transversal" option of IKE settings configured to "On if supported and NATed".

The next job is implements certificates to ensure more strongly the communications. I have tested the HowTo document from the D'Link, but it no works because GateWay certificate error.

I don't know which ports must be opened in the Windows 7 firewall to allow pings from the VPN network created by DFL, perhaps somebody can explain me "how to" instead of disabling Windows 7 firewall.

Thank you very much, best regards
Juanjo