VPN

Hello,

I'm trying to make a IPSec VPN from ShrewSoft VPN client to Monowall 1.32 behind Fritzbox 7270.
The VPN tunnel will be established, but no traffic passes (for example ping to Monowall).

So I enabled NAT-T in Monowall and I was able to ping Monowall's ip address (not the routers address).
The problem I have now is that i cannot open Monowall's webinterface. When I type the ip address in the browser i can insert the login credentials but then it doesn't go forward.
Bevor I used a Linksys router (with IPsec VPN passthrough enabled) without any problems.

IP-addressing:
LAN=192.168.1.0 / 24
Monwall 1.32 WAN = 192.168.2.1 /24
router Fritzbox 7270 LAN = 192.168.2.254 /24
router portforwarding to Monowall: port 500 udp, 4500 udp, ESP


VPN tunnel: ShrewSoft IPSec -> Fritzbox (DynDNS) -> Monowall -> LAN

Any ideas what can be the problem?

best regards,

Sarge


EDIT:
I can successfully ping a client in the LAN network and make a RDP connection. So it seems that it must be a problem (routing/nat) in the subnet 192.168.2.0 that I can't connect with http to the Monowall or ADSL-router.
I also tried a PPTP connection, that works perfekt (I can also make a connection to the router and monowall)

Is the webinterface under https ?  A special port to access webGUI?
See System/General Setup.

Then check rules:
Firewall / Rules / Wan
Must be a rule like this:
Action: pass   interface: Wan    Proto: TCP
Source type: any    source-port-rages: any
Destination: single-host: wan eth of monowall (can be public IP)
Destination port:  4321 (if the webGUI wan access is https://20.20.20.20:4321 for example)

If remote lan and local lan are of different familiy the NAT 1:1 is innecesary.

Hi,

yes, the webinterface is under https. Tried your suggestion but no success.
I also cannot connect to the routers address (192.168.2.254), only to a a pc in the lan network (192.168.1.x)

best regards,

Sarge

If im understanding correctly, your router is outside monowall's subnet. in order to access it you must route traffic intended for the 192.168.2/24 subnet through the tunnel. in order to receive a response your ipsec address must lie within the 192.168.1/24 subnet or the fritzbox will not reply through monowall to you.

Hi notladstyle,

Yes, you're right.
Fort testing with Shrew Soft VPN client I set the option "Use a virtual adapter and assigned address" with an ip address in the 192.168.1.0 subnet instead of "Use an existing adapter and current address".
Now I have access to Monowalls webinterface and Fritz!Box but NOT anymore to a pc in the internal network!?
Something must be configured still wrong...

best regards,

Sarge

Dont forget, if access is from inside or outside the Vpn, then appoint to the respective lan or wan address.
In your schema, draw a network schema (jpg or Pdf) and show us.

I fear that because your 192.168.1.0/24 address lies within the subnet for the local computers so they are not using the monowall to route (they are just broadcasting) their responses.