Help with IPSEC

plucchetti · May 7, 2008, 11:50am

Hi,

I have an IPSEC concentrator working with remote LANs, all works fine but when I trying to reach from remote connection to another LAN outside the IPSEC Scheme (just routed LAN) can’t obtain ping response. All networks are in mangle rules before masquerade, because all routers are working with NAT.
Only can be reach remote LAN from IPSEC concentrator, not from remote connections.

Any help please?

Thanks in advance,
Pablo

andrewluck · May 7, 2008, 1:50pm

Are you excluding the IPSEC Lan to Lan traffic from NAT?

Are the routing tables correct?

Regards

Andrew

plucchetti · May 7, 2008, 3:16pm

andrewluck · May 8, 2008, 1:26pm

I have all networks in firewall, for example:
chain=srcnat action=accept src-address=192.168.20.0/24

This is probably incorrect. You will probably have a source nat rule that masquerades for the outside world. You require some additional rules before this one that excludes traffic bound for your IPSEC reachable LANs. These will have action=accept and you will need to specify the destination address.

e.g.

chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.111.0/24
chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.205 to-ports=0-65535 src-address=192.168.1.0/24 out-interface=Internet

In this example, the first rule excludes traffic bound for the remote LAN (192.168.111.0/24), the second rule nats everything else for the Internet, xxx.xxx.xxx.205 is one of my public IPs.

You need to think about routing end-to-end in both directions. Pick a remote destination address and for each client or router in the path, look at the routing table and ask yourself, ‘where will this packet be sent next’. Once you get to the remote client successfully, repeat the process in the opposite direction.

Regards

Andrew

plucchetti · May 8, 2008, 2:16pm

Andrew,

I have these rules on firewall/nat

add action=accept chain=srcnat comment=“” disabled=no dst-address=192.168.10.0/24 src-address=192.168.40.0/24
add action=accept chain=srcnat comment=“” disabled=no dst-address=192.168.30.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=pppoe-out1 src-address=192.168.40.0/24
Did you mean must I use src-nat instead of masquerade?

IPSEC Concentrator have an 192.168.10.4 ip lan, but network 192.168.30.0/24 is unreachable from 192.168.40.0/24 network.

Regards,
Pablo

andrewluck · May 8, 2008, 5:11pm

That looks OK to me. Don’t forget that you need equivalent rules on the other ends of the link. After that, check that the traffic is hitting the relevant IPSEC policy.

Masquerade should work. I tend to avoid using it though and prefer to manually specify source nat rules.

Regards

Andrew

plucchetti · May 9, 2008, 1:01pm

No way Andrew…
Can’t ping from between networks 192.168.30.xxx, 192.168.40.xxx, 192.168.20.xxx or 192.168.21.xxx when the tunnel is up.
Here is the networks schema.
Another idea?

Thanks for you help.
Pablo

plucchetti · May 9, 2008, 10:03pm

Missing policy to encrypt traffic through IPSEC Concentrator from 192.168.40.0/24 to 192.168.30.0/24 network.

Thanks

andrewluck · May 10, 2008, 7:56am

Pablo

Glad to help.

Kind regards

Andrew