News: This forum is now permanently frozen.
Pages: [1]
Topic: IPSEC Site-to-Site problem  (Read 2435 times)
« on: November 12, 2009, 14:23:31 »
kmalek *
Posts: 4

Hello,
I'm facing very strange problem with my implementation of the Site-to-Site VPN.
I have successfully created the VPN tunnel between two sites, and I am able to ping or traceroute basically any host on the other site and vice versa.
The problem I'm having is that for whatever reason, I can't get to any services on the other site.
What I mean is this....
Let's say that Host A on Site B is working as a web server. From Host A on Site A I am unable to see any page serving by that host.
Same applies to any other service, like SSH, or file sharing or whatever else.

Please check the attached picture for my setup, and if you have any idea what may be the cause of my problem I'd really appreciate any help.

Thank you,
Chris


* STS.jpg (65.46 KB, 967x736 - viewed 274 times.)
« Last Edit: November 12, 2009, 17:00:27 by kmalek »
« Reply #1 on: November 12, 2009, 17:57:42 »
knightmb ****
Posts: 341

Hello,
I'm facing very strange problem with my implementation of the Site-to-Site VPN.
I have successfully created the VPN tunnel between two sites, and I am able to ping or traceroute basically any host on the other site and vice versa.
The problem I'm having is that for whatever reason, I can't get to any services on the other site.
What I mean is this....
Let's say that Host A on Site B is working as a web server. From Host A on Site A I am unable to see any page serving by that host.
Same applies to any other service, like SSH, or file sharing or whatever else.

Please check the attached picture for my setup, and if you have any idea what may be the cause of my problem I'd really appreciate any help.

Thank you,
Chris
The first thing that comes to mind is what gateway is Host A using? From the picture, it looks like you have two possible gateways for Host A to connect out of. If Host A has a packet send to it from the m0n0wall IP/SEC it might not know how to send the return properly, might be trying to send it out the default gateway instead of back through the m0n0wall IP/SEC.

If that's the case, you'll have to assign some static routes for each host to know where the Internal traffic needs to go vs. the external traffic (WAN).

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #2 on: November 12, 2009, 19:26:00 »
kmalek *
Posts: 4

Well, thanks for your reply.
Correct me if I'm wrong, but wouldn't that be taken care of by the static route on the main gateway?
The 192.168.x.1 gateway is the default gateway for every single host on our network, set by the DHCP server.
I have added the static route to specify that any traffic going to the other site should go via monowall, so in the  Site A main gateway I have more/less this entry:
Interface: LAN           
Network: 192.168.200.0/24
Gateway: 192.168.168.209 (monowall LAN IP)

The part that bothers me the most is the fact that I can do this:

ping -s 192.168.200.193
PING 192.168.200.193: 56 data bytes
64 bytes from 192.168.200.193: icmp_seq=0. time=2.572 ms
64 bytes from 192.168.200.193: icmp_seq=1. time=2.295 ms
64 bytes from 192.168.200.193: icmp_seq=2. time=2.337 ms
^C
----192.168.200.193 PING Statistics----
3 packets transmitted, 3 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 2.295/2.401/2.572/0.149

and also this:

traceroute 192.168.200.193
traceroute to 192.168.200.193 (192.168.200.193), 30 hops max, 40 byte packets
 1  192.168.100.1 (192.168.100.1)  0.389 ms  0.289 ms  0.378 ms
 2  192.168.100.209 (192.168.100.209)  0.604 ms  0.407 ms  0.402 ms
 3  * * *
 4  192.168.200.193 (192.168.200.193)  2.890 ms  1.956 ms  1.985 ms

So, I'm pretty sure that the tunnel is established.

Anyway, I will play with this setup a bit more. Meantime, if you have any more ideas, or maybe I have done something wrong that you can think of... please let me know.

Thanks,
Chris
« Reply #3 on: November 18, 2009, 19:32:08 »
kmalek *
Posts: 4

Does anyone have a similar setup to mine?Huh

If I change my networks in such a away that the monowall is the default gateway and IPSec Site-to-Site VPN, everything works like a charm.
The problem is that I need to be able to simply add the monowall box to existing network where I can't make it (monowall box) the default gateway.

I'm stuck at this point.
Anyone, any ideas??? Please....
« Reply #4 on: November 23, 2009, 17:28:53 »
kmalek *
Posts: 4

For anyone that is facing the same problem as I have faced.
For the past couple of weeks I have tried different IPSEC settings and what not, but nothing seemed to work.
Finally, today, I have checked all the settings for the main gateways and there it was.... Grin
The Static Route Filtering was enabled, and as soon as I have disable it, my Site-to-Site VPN works like a charm.

Well, that's my story.
Thanks to everyone who pointed me in one direction or another.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines