IPSec Tunneling and Subneting problem

dtomgr · November 30, 2012, 9:46pm

I’m using two mk one for the office and one for home.

on the office side we have
10.0.0.0/24 with gw 10.0.0.1 (mk1)

and at home
192.168.1.0/24 gw 192.168.1.0 (mk2)

mk1 and mk2 are connected with pppeo interfaces to ADSL .
so me have for the mk1 wan address 1.1.1.1 and for the mk2 2.2.2.2
I have set successfully an IPSec tunnel between the two mk routers
but the problem is that
on the office we have services as WEB . On 10.0.0.5 is our web server.

from my home computer 192.168.1.10 I can access the web server , but the servers dose not recognize me as 192.168.1.10 but as 10.0.0.1 ,
this happens exactly the same from the other side .
10.0.0.20 (Office PC) → 192.168.1.10 (home webserver) 192.168.1.1 is coming to the server and not the 10.0.0.20.

This happening also on other services we use VOIP.

Where is the missing part from the implementation? I want my local (home) ip to be recognized from the local(office) servers , and not the mk’s .

tomaskir · December 5, 2012, 11:41am

Are you using Ipsec tunnel mode? Or doing a gre/ipip tunnel with transport mode ipsec?

Also post the output of “/ip firewall Nat exp com”

coffeecoco · December 5, 2012, 11:47am

agree’d he must be natting

dtomgr · December 5, 2012, 11:58am

I have added by mistake , masquerade action on my local interface.

Everything is working now perfectly!

The next step is ,

I have 5 remote Clients (Satellites) and I have everyone of them to bind (tunnel) with the Main PBX.
For the moment I’ve made tunnel on every Satellite for every satellite + for then Main PBX, in order every satellite to reach the other .

How can I do than with only one tunnel from the Client to the office in order to minimize the configuration?

coffeecoco · December 5, 2012, 12:11pm

I suppose you can create a Hub like topology all sites tunnel into main
Clients connect to Hub, I wouldn’t a good result for voip calls over Sat tho.

i cant make sense of you tho your hard to understand
draw pic ?

tomaskir · December 5, 2012, 1:51pm

From what you describe it seems you are doing IPSec in tunnel mode with policies for whole subnets.

For the topology you are describing, use a GRE tunnel, IPSec in transport mode and a routing protocol like OSPF to distribude the routes to clients. Like that, you will just need one tunnel from the remote client to the concentrator, and the concentrator will route all the traffic between the remote subnets.

dtomgr · December 8, 2012, 1:10pm

On the second picture (ipsec tunnel) is what I’ve made , using tunnels on each point to other.

On the first is what I need in order to avoid large scripting … (all my wan address are dynamic IP, so I have to manage them via no-ip services and update the policies dynamically on every change)

Can you provide help me about GRE-IPSEC and OSPF ?

08-12-2012 15-04-24.jpg