VPN trouble.

dennislarsen · ‎09-15-2006

Hey all

I will try and explain my situation here and i hope you get it.

I have a problem with getting traffic from one net to another net and it is now driving me mad as i cant seem to find the error.

The setup: LAN1(10.0.0.0) has a VPN connection to our DMZ1(192.168.3.0). In our DMZ1 we have a gateway which routes traffic into SDN!(195.80.240.0) and at the same time transforming(NAT) the ip from the LAN and DMZ into (195.80.245.242/29). Meanwhile we also have an internal LAN2(192.168.2.0). My problem is that the traffic from LAN1 cant reach the SDN net but when i am on LAN2 i can.

My firewall log aint showing anything so i dont think the problem is here.

Hope someone has a cleaver idea.

Best regards

Dennis

martinj101 · ‎09-16-2006

Hi Dennis

It might help to include the configs of the devices involved and maybe a diagram.

Cheers

Martin

abdel_n · ‎09-17-2006

Hi Dennis,

Here is what i get from your explanation:

You have a firewall with two LANs interfaces, one for LAN1 10.0.0.0 and another for LAN2 192.168.2.0, also an interface connecting a DMZ 192.168.3.0.

Inside the DMZ a gateway routes traffic into SDN 195.80.240.0 with NAT?ing (using 195.80.245.242/29).

If it works between LAN1 and SDN but not from LAN2, may be you didn?t assign LAN2 into ACL that trigger the VPN connection?

So my questions are: what are the VPN gateways (between what peers)? And what traffic is protected?

We need more explanations to understand the configuration, what you need to do and what is going wrong.

dennislarsen · ‎09-18-2006

First sorry for the late reply. Work has been a bit hectic lately so have had a lot of things to look into.

First i have added a drawing of how the whole setup is and jope it can help explain a bit about the setup.

2. I need to get traffic from 10.0.0.0/27 all the way over to 195.80.240.0/20. Simple as it sounds but this just aint working.

3. I have assigned both net into the ACL for the vpn connection but i am afraid i hav'nt done it correct as the problem might be here.

Which part of the config should i put up if that would help. Not going to post the whole as it is quite large.

Hope this helps a bit ;)

Best regards

Dennis

abdel_n · ‎09-19-2006

According to your diagram you are trying to connect the remote network 10.0.0.0/27 to your corporate DMZ through VPN connection between the vigor2900 VPN router and Cisco 2821. (Interoperability seems to be tested successfully)

I guess you set a LAN-to-LAN VPN, if you are using a pre-shared key for authentication; here is a typical VPN site-to-site configuration on the Cisco-side:

-----------

crypto isakmp policy

authentication pre-share

crypto isakmp key address

!

crypto ipsec transform-set

!

crypto map ipsec-isakmp

set peer

set transform-set

match address

access-list permit ip

------------

Make sure that:

- IKE phase1 parameters match between the two devices.

- The same pre-shared key is set in both devices.

- min one transform-set must match.

- ACL on the Cisco and the Vigor device have to be symmetric (mirrored) to guarantee the traffic forth and back.

LAN2 is connecting directly to Cisco then traffic forwarded to m0n0wall for NATing and don?t use any VPN, may be that?s why it doesn?t present any problem.

I hope this will help

dennislarsen · ‎09-19-2006

Well the problem is this is what i already have entered into the ACL. Traffic flow perfectly from LAN1 to DMZ but i still cant get into SDN. I can ping the monowall but the the devices after i cant. These i can access though when i sit in DMZ

Arrgggh ;)

abdel_n · ‎09-19-2006

Hi,

NAT'ing work from DMZ and not from LAN1 -> check you translation rules in m0n0wall and what pool of address are allowed to be translated, may be only DMZ ip addresses are allowed, if so add you LAN1 ip addresses to be translated.

dennislarsen · ‎09-19-2006

The NAT is setup just liked the NAT for the DMZ zone and LAN2 so ......