Topic: DFL-800 Routing (Read 6665 times)

tecno13 · « **on:** January 11, 2012, 03:16:27 AM »

you excuse my scholastic English
I have a problem of routing among two VPNs I make sense of better me my dfl-800 with the inside lan 192.168.0.0 for two external VPNs is shaped for other two centers that correctly work type IPSEC I from the inside net see the single remote pc and vice versa everything ok now the problem is this it is possible from the net vpn1 to see the pc of the vpn2 making to make the routing to the dfl-800 as I have to proceed.

data
lan 1 dfl800 192.168.0.0/24 255.255.255.0
vpn1 lan ip 192.168.17.0/24 255.255.255.0
vpn2 lan ip 192.168.1.0/24 255.255.255.0
thanks

danilovav · « **Reply #1 on:** January 12, 2012, 07:11:48 PM »

You need to setup hub-and-spoke
Which device do you use at remote networks?

tecno13 · « **Reply #2 on:** January 12, 2012, 11:45:47 PM »

in the remote nets we use the AVM Fritz 7270 with the configuration as bottom:
vpncfg {
   connections {
   enabled = yes;
   conn_type = conntype_lan;
   name = "VPN1";
   always_renew = no;
   reject_not_encrypted = no;
   dont_filter_netbios = yes;
   localip = 0.0.0.0;
   local_virtualip = 0.0.0.0;
   remoteip = XX.XXX.XXX.XX;
   remote_virtualip = 0.0.0.0;
   localid {
   ipaddr = XX.XX.XX.XX;
   }
   remoteid {
   ipaddr = XX.XXX.XXX.XX;
   }
   mode = phase1_mode_aggressive;
   phase1ss = "all/all/all";
   keytype = connkeytype_pre_shared;
   key = "343434434344";
   cert_do_server_auth = no;
   use_nat_t = yes;
   use_xauth = no;
   use_cfgmode = no;
   phase2localid {
   ipnet {
   ipaddr = 192.168.17.0;
   mask = 255.255.255.0;
   }
   }
   phase2remoteid {
   ipnet {
   ipaddr = 192.168.0.0;
   mask = 255.255.255.0;
   }
   }
   phase2ss = "esp-all-all/ah-none/comp-all/pfs";
   accesslist = "permit ip any 192.168.0.0 255.255.255.0"; (I have also tried with any any)
       }
   ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
   "udp 0.0.0.0:4500 0.0.0.0:4500";

obviously this is alone of a side but they is identical they change only the ip

from the dfl800 I quietly see all and two the nets but from the individuals I can see only the net of the dfl and not the other net I thought that with the dfl the routing could be made among the nets but I doesn't understand as

danilovav · « **Reply #3 on:** January 15, 2012, 05:13:46 AM »

Use local/remote nets as 192.168.0.0/16 (it's maximum, you can make it less) and make Allow rule between IPsecs on DFL

tecno13 · « **Reply #4 on:** January 16, 2012, 12:10:51 AM »

don't I understand you it is wrong or done correct the use of 192.168.0.0/16?

danilovav · « **Reply #5 on:** January 19, 2012, 05:34:14 PM »

IPsec has ACL concept - at the moment of establishment, both network devices "decide", which networks can pass thru tunnel. In base scenario (you've followed) it's lannets from both sides, but no one branch know about remote branch networks.

tecno13 · « **Reply #6 on:** January 19, 2012, 11:21:45 PM »

then if I have understood well I could obviously put the same class 192.168.0.0 to all the nets with different ip but for the gateways inside type vpn1 vpn2 thing I put?

because now I have this way:
lan 1 dfl800 192.168.0.0/24 255.255.255.0 gateway 192.168.0.1
vpn1 lan ip 192.168.17.0/24 255.255.255.0 gateway 192.168.17.1
vpn2 lan ip 192.168.1.0/24 255.255.255.0 gateway 192.168.1.1

would you make me an example?

danilovav · « **Reply #7 on:** January 21, 2012, 12:00:29 PM »

On example of IPsec1 (with 192.168.17.0/24)

Main (192.168.0.1)

Local network = 192.168.0.0/16
Remote network = 192.168.17.0/24

Remote (192.168.17.1)

Local network = 192.168.17.0/24
Remote network = 192.168.0.0/16

D-Link Forums

News:

Author Topic: DFL-800 Routing (Read 6665 times)

tecno13

DFL-800 Routing

danilovav

Re: DFL-800 Routing

tecno13

Re: DFL-800 Routing

danilovav

Re: DFL-800 Routing

tecno13

Re: DFL-800 Routing

danilovav

Re: DFL-800 Routing

tecno13

Re: DFL-800 Routing

danilovav

Re: DFL-800 Routing