Community discussions

MUM Europe 2020
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Fri May 02, 2008 11:14 pm

Strange IPSec, please little help

Fri Jan 11, 2013 11:20 am

Hello,

Im using IPSec for few locations. Today I want to add new location and Im not able to find what is wrong, if somebody can help me with this.

SITUATION:
IPSec betwen two locations
IPSec seems to be established, i see installed sas on both sites
Im able to connect to internal network from site A to site B, even to router on site B
Everything from site A to site B seem to be OK
but
From site B Im able to use DNS server on site A (dns names of servers on site A are resolved to internal adresses)
Im not able to ping from B to A
Im not able to reach network A from site B

site A: 192.168.1.0/24
one single MT port
site B: 192.168.5.0/24
bridged ports


here are configurations
NAT
site A
chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.5.0/24 
site B
chain=srcnat action=accept src-address=192.168.5.0/24 dst-address=192.168.1.0/24
FW rules (I even tryed to disable FW)
site A
chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.5.0/24 
chain=forward action=accept src-address=192.168.5.0/24 dst-address=192.168.1.0/24 
chain=input action=accept protocol=ipsec-esp src-address=89.233.144.232 in-interface=eth01.WAN 
chain=input action=accept protocol=udp src-address=89.233.144.232 in-interface=eth01.WAN dst-port=500 
chain=output action=accept protocol=ipsec-esp dst-address=89.233.144.232 out-interface=eth01.WAN 
chain=output action=accept protocol=udp dst-address=89.233.144.232 out-interface=eth01.WAN dst-port=500 
site B
chain=forward action=accept src-address=192.168.5.0/24 dst-address=192.168.1.0/24 
chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.5.0/24 
chain=input action=accept protocol=ipsec-esp src-address=109.107.208.42 in-interface=eth01.WAN 
chain=input action=accept protocol=udp src-address=109.107.208.42 in-interface=eth01.WAN dst-port=500 
chain=output action=accept protocol=ipsec-esp dst-address=109.107.208.42 out-interface=eth01.WAN 
chain=output action=accept protocol=udp dst-address=109.107.208.42 out-interface=eth01.WAN dst-port=500 
IPSec policy
site A
src-address=192.168.1.0/24 src-port=any dst-address=192.168.5.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=109.107.208.42 sa-dst-address=89.233.144.232 proposal=SSI - Flora Personalka priority=10
site B
src-address=192.168.5.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=89.233.144.232 sa-dst-address=109.107.208.42 proposal=SSI centrala priority=10
IPSec peer
site A
address=89.233.144.232/32 port=500 auth-method=pre-shared-key secret="" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=exact hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 
site B
address=109.107.208.42/32 port=500 auth-method=pre-shared-key secret="" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=exact hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 
IPSec proposal
site A
name="SSI - Flora Personalka" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=30m pfs-group=modp1024
site B
name="centrala" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=30m pfs-group=modp1024
routes
site A
A S  192.168.5.0/24                     eth02.SSI.LAN             1
site B
A S  192.168.1.0/24                     bg1.LAN                   1

thank you
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Fri May 02, 2008 11:14 pm

Re: Strange IPSec, please little help

Fri Jan 11, 2013 1:45 pm

New think, when I try to ping with ARP ping, than it seems to be ok, I got reply
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Fri May 02, 2008 11:14 pm

Re: Strange IPSec, please little help

Sat Jan 12, 2013 10:03 pm

nobody ?

Who is online

Users browsing this forum: Google [Bot], kocka, MSN [Bot] and 30 guests