I configured a VPN site-to-site and, almost, everything works fine.
The tunnel is stablished well.
The subnet from Site_A (the HQ) do ping the subnet of the Site_B (the branch), but the subnet from Site_B cannot "see" the subnet of the Site_A.
I don't have access to the Site_A configuration, only Site_B (ClearOS 7).
My Site_B configuration:
The Site_A's administrator does ping command to 192.168.125.10 for example, but the Site_B's administrator (me) cannot do ping to 10.50.90.30 (for example).
I've a bit knowledge of the OpenVPN, and, when the OpenVPN starts it creates devices (tun, tap), so, I add routing the subnet to the gateways behind this devices.
The question is: how can I send the packages by IPSec tunnel?
Thank you very much.
henrique.
The tunnel is stablished well.
The subnet from Site_A (the HQ) do ping the subnet of the Site_B (the branch), but the subnet from Site_B cannot "see" the subnet of the Site_A.
I don't have access to the Site_A configuration, only Site_B (ClearOS 7).
My Site_B configuration:
conn SiteA_SiteB
type=tunnel
authby=secret
auto=start
left=201.202.203.100 # Site_B Public IP
leftsubnet=192.168.125.0/24 # Site_B subnet
right=101.102.103.188 # Site_A Public IP
rightsubnet=10.50.90.0/19 # Site_A subnet
esp=3des-sha1
The Site_A's administrator does ping command to 192.168.125.10 for example, but the Site_B's administrator (me) cannot do ping to 10.50.90.30 (for example).
I've a bit knowledge of the OpenVPN, and, when the OpenVPN starts it creates devices (tun, tap), so, I add routing the subnet to the gateways behind this devices.
The question is: how can I send the packages by IPSec tunnel?
Thank you very much.
henrique.
Share this post:
Responses (3)
-
Accepted Answer
It looks like you've done all the right things. You probably don't need the esp line as it is one of the defaults it can negotiate automatically but it does not harm. One thing, can you set your "Local LAN IP (Optional)". It will help any pinging or other traffic coming directly from ClearOS (rather than from the LAN behind it).
I would suspect the problem is the other end where he might either be firewalling you or nat'ing his end of the tunnel. When he pings you from different devices do the packets all seem to come from the same LAN IP? If so, that would suggest he is nat'ing the packets. -
Accepted Answer
Hello Nick,
thanks for tip about routing.
How have you done this configuration? Manually or through one of the IPsec VPN marketplace items?
I've done the configuration by "Static IPsec VPN for Home".
I've edited manually the "/etc/ipsec.d/ipsec.unmanaged.SiteA_SiteB.conf" file to add the line:
esp=3des-sha1
How have you opened your firewall? Have you used the Standard Service IPsec or have you used separate rules for ESP and udp:500?
I've done this configuration by "Incoming Firewall".
Menu: Network -> Firewall -> Incoming Firewall;
Button: "Add" -> "Add by: Service";
Service: "IPsec"
The line added is:
Nickname Service Protocol Port Action
IPsec IPsec ESP/AH + UDP 500 Delete
Done.
Find log file in attachment.
Thank you very much.
henrique. -
Accepted Answer
IPsec and OpenVPN are completely different. Don't try manipulating the routing table with IPsec. It'll never work.
How have you done this configuration? Manually or through one of the IPsec VPN marketplace items? How have you opened your firewall? Have you used the Standard Service IPsec or have you used separate rules for ESP and udp:500?
Can you also post your connection log from where pluto starts to negotiate a connection to the "IPsec SA established" message.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »