News: This forum is now permanently frozen.
Pages: [1]
Topic: need help - routing over vpn  (Read 3883 times)
« on: October 12, 2007, 18:00:08 »
phil_discount *
Posts: 9

hello guys,

i've got a vpn connection between two companies.

have a look at the picture below

the vpn connection works very good. i can ping everything on the other side (computers with the gateway of the vpn routers)
expecting the server/computers with the gateway of the linux router i can't ping...

thats correct, because they have a different gateway..

i made a routing entry on the linux router:

192.168.2.0 over 192.168.87.33 mask 255.255.255.0 dev eth1  (everything is correct, i checked it twice)

then i made a routing entry on the schweiz_monowall:
192.168.87.0 over 192.168.87.10 mask 255.255.255.0 interface LAN

but i can't ping the hosts with the gateway of the linux router (192.168.87.10)

can anyone help me??

sorry for my english :-)

regards
philip

networkplan:
http://www.imgimg.de/uploads/netzwerk945f5c39jpg.jpg
« Reply #1 on: October 13, 2007, 16:01:12 »
phil_discount *
Posts: 9

oh perhaps i have to edit the iptables on the linux router...?
the routes i ve entered to the local LAN interface - is it correct?
« Reply #2 on: October 15, 2007, 11:28:17 »
markb ****
Posts: 331

Hi Philip.
First question.  Why do you need the Linux router?  If you only have the 2 offices to connect what purpose does it serve?
Assuming that your Linux router is used to connect to other networks, all clients would be better having their default gateways pointing to it at 192.168.87.10.  You need a static route on the Linux machine for 192.168.2.0/24 pointing at 192.168.87.33.  The Monowall doesn't need any static routes for 192.168.87.0 as it is connect to this network and knows where it is.
« Reply #3 on: October 15, 2007, 18:10:35 »
phil_discount *
Posts: 9

Hello Mark,

i allready made a routing entry pointing to 192.168.87.33 on the linux router.
The problem is, the linux router has about 10 vpn connections to other customernetworks.
And i want to rebuild the VPN's with the new monowall gateway, but i can do it only in the night. So i can't rebuild all VPN on one day....so i have to migrate step by step und with routing entries...
but the routing entries don't work with the linux router, perhaps a firewall stops the packets...i haven't enough linxu knowledge to control it.
« Last Edit: October 15, 2007, 22:55:21 by phil_discount »
« Reply #4 on: October 16, 2007, 10:13:22 »
markb ****
Posts: 331

That makes it a bit clearer.  In that case, I would suggest that you set the monowall up to be the default gateway and put the static routes to the other sites in the monowall.  You will need to look in the advanced page System>Advanced on the webGUI and check the box for "Bypass firewall rules for traffic on the same interface" as the traffic from the LAN will have to go in and out of the Mono box.  Then as you set up the new VPNs you can remove the static routes
« Reply #5 on: October 16, 2007, 15:32:06 »
phil_discount *
Posts: 9

thank you, i will try it tommorow and give u a feedback!
« Reply #6 on: October 16, 2007, 16:29:23 »
phil_discount *
Posts: 9

okay it works, but now i have another problem.

192.168.87.1  (second lan interface 10.10.0.1) is a gateway to the 10.10.0.0/16 network.
i have a test pc with the static ip address 192.168.87.100 and the new gateway (192.168.87.33). i can ping everything in the 192.168.87.0 network and the 10.10.0.0 network - everything works fine.

i want to get a connection from the 192.168.2.0 network over vpn to the 10.10.0.0 network. i allready have  a vpn connection to the local 192.168.87.0 network over the 192.168.87.33 gateway...i can ping every computer with the gateway 192.168.87.33
so far its okay. but every host on the 192.168.2.0 lan have to get connected with the 10.10.0.0 network....

i have got two solutions:

1. i made a routing entry on the 192.168.2.2 gateway to the 10.10.0.0 network
    -> it doesn't work

2. i made a second vpn tunnel to the remote subnet 10.10.0.0 and a routing entry on
    the destination gateway 192.168.87.33 to the 10.10.0.0 network, but it doesn't work   
    too. i can establish the vpn connection, but i can't ping anything from the 10.10.0.0       network. subnetmasks / ipaddresses are correctly defined - i checked it twice....

the old gateway has got the second solution and it works fine. and i enabled bypass firewallrules on the same interface

do u have any ideas?
« Reply #7 on: October 16, 2007, 17:56:19 »
markb ****
Posts: 331

What is the static route that you put into 192.168.2.2.  Remember with static routes you only need to point to the next hop on a route.  the downstream router should know where to send it. You should be able to point it at the tunnel to route to the 10.10.0.0 segment.  When it reaches the other end of the tunnel, 192.168.87.33 knows how to get to 10.10.0.0 and should route the traffic accordingly assuming you have the appropriate rules in place.  In my opinion, it makes things simpler if you avoid restrictive rules when routing internally and just control your access to untrusted networks like the internet and DMZ networks.

Hope this helps.
« Reply #8 on: October 16, 2007, 21:20:51 »
phil_discount *
Posts: 9

Hi, i allready tried it, but it doesnt work

here my routes

192.168.87.33 Router:
LAN  10.10.0.0/16  192.168.87.10  CLAN over MPLS Router
Hosts in the 192.168.87.0 networks can ping every host in the 10.10.0.0 network


192.168.2.2 Router:
LAN  10.10.0.0/16  192.168.87.33
tracert to 10.10.0.1 on hosts in the 192.168.2.0 network: answer from INETADDRESS: destionation unreachable
what means that the route doesn't work...or?

i made the routes on the LAN interface...correct or? i tried allready the wan interface...
the firewall is deactivated (traffic allowed in all directions on all interfaces)

very strange....
i allready tried to make a second vpn tunnel with the 10.10.0.0 network, but it doesn't work too :-(

any idea?
« Reply #9 on: October 17, 2007, 17:09:44 »
phil_discount *
Posts: 9

hello...
i think monowall isnt able to do that.
i have installed ipcop, now everything works fine.
i read something about this feature (routing over ipsec) in the feature developemnt for monowall.
Thanks for help
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines