- Posts: 11
- Thank you received: 0
IPCop and Net-to-Net VPN
18 years 9 months ago #13206
by Alexey
IPCop and Net-to-Net VPN was created by Alexey
Good day, everyone. I've installed IPCop firewalls on 2 separate boxes (both configured GREEN+RED). Created a VPN tunnel between them (status open), but pings from both internal networks to another end do not go.
What am I doing wrong? Where to check?
GREEN - 172.30.1.0
RED - Y.Y.Y.Y
IPCOP
|
|
INTERNET
|
|
IPCOP
RED - X.X.X.X
GREEN - 192.168.100.0
What am I doing wrong? Where to check?
GREEN - 172.30.1.0
RED - Y.Y.Y.Y
IPCOP
|
|
INTERNET
|
|
IPCOP
RED - X.X.X.X
GREEN - 192.168.100.0
18 years 9 months ago #13208
by DaLight
Replied by DaLight on topic Re: IPCop and Net-to-Net VPN
You stated that a tunnel was created with a status of "OPEN", but you cannot ping machines behind the IPCOPs.
1. Check that you've entered the correct values for the "Local Subnet" in the VPN setup screen on both IPCOPs.
2. Use the route command to print out your routing table to ensure that the correct routes are in place.
1. Check that you've entered the correct values for the "Local Subnet" in the VPN setup screen on both IPCOPs.
2. Use the route command to print out your routing table to ensure that the correct routes are in place.
18 years 9 months ago #13216
by Alexey
Replied by Alexey on topic Routing table
Thank you for fast answer. Please find the roting tables from both sides here:
IPCOP 1 (RED IP - X.X.X.212)
192.168.100.0 X.X.X.209 255.255.255.0 UG 0 0 0 ipsec0
172.30.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
0.0.0.0 X.X.X.209 0.0.0.0 UG 0 0 0 eth1
IPCOP 2 (RED IP - Y.Y.Y.108)
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
82.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
82.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
172.30.1.0 Y.Y.Y.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 Y.Y.Y.1 0.0.0.0 UG 0 0 0 eth1
It seemes to be correct.
IPCOP 1 (RED IP - X.X.X.212)
192.168.100.0 X.X.X.209 255.255.255.0 UG 0 0 0 ipsec0
172.30.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
0.0.0.0 X.X.X.209 0.0.0.0 UG 0 0 0 eth1
IPCOP 2 (RED IP - Y.Y.Y.108)
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
82.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
82.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
172.30.1.0 Y.Y.Y.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 Y.Y.Y.1 0.0.0.0 UG 0 0 0 eth1
It seemes to be correct.
18 years 9 months ago #13219
by DaLight
Replied by DaLight on topic Re: IPCop and Net-to-Net VPN
Sorry, Alexey. I can't quite get my head round the tables due to the missing numbers. Reading routing tables is not one of my strongest points! Would you be able to repost the original network map with all the internal/external IPs and labelled IPCOPs. And then could you print the routing tables without obscured IPs. I understand your not wanting to put in the real IPs, so could you please replace them with fake ones. I want to be sure that you have not left anything out.
Could you also put in any routers in your network path with IPs as well.
On the other hand, if anyone else can make sense of the above tables, please jump in.
Could you also put in any routers in your network path with IPs as well.
On the other hand, if anyone else can make sense of the above tables, please jump in.
18 years 9 months ago #13220
by Alexey
Replied by Alexey on topic Re: IPCop and Net-to-Net VPN
No problem. Here is the real configuration with fake ip's.
IPCOP 1 (RED IP - 53.141.108.212)
53.141.108.209 is an IP of Cisco 1700 router standing between IPCop (53.141.108.212) and the outside world. But it could not be a problem, because it doesnot filter anything at all. There is a second Firewall standing behind it (separate outside IP, of course), and it works ok.
From this side (green network) I can ping 192.168.100.253 (IPCop's 2 green IP), but none inside of the network.
From IPCOP1 itself I cannot ping 192.168.100.253.
192.168.100.0 53.141.108.209 255.255.255.0 UG 0 0 0 ipsec0
172.30.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
53.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
53.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
0.0.0.0 53.141.108.209 0.0.0.0 UG 0 0 0 eth1
IPCOP 2 (RED IP - 92.198.180.108)
THis machine is just lookung to the internet without any routing.
ISP's gateway is 92.198.180.1. From this side i cannot ping 172.30.1.253 (IPCop's 1 green IP) at all. None from IPCop machine, none from green network.
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
92.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
92.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
172.30.1.0 92.198.180.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 92.198.180.1 0.0.0.0 UG 0 0 0 eth1
VPN tunnel is not OpenVPN. Just a standard IPCop vpn tunnel with pre-shared key.
IPCOP 1 (RED IP - 53.141.108.212)
53.141.108.209 is an IP of Cisco 1700 router standing between IPCop (53.141.108.212) and the outside world. But it could not be a problem, because it doesnot filter anything at all. There is a second Firewall standing behind it (separate outside IP, of course), and it works ok.
From this side (green network) I can ping 192.168.100.253 (IPCop's 2 green IP), but none inside of the network.
From IPCOP1 itself I cannot ping 192.168.100.253.
192.168.100.0 53.141.108.209 255.255.255.0 UG 0 0 0 ipsec0
172.30.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
53.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
53.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
0.0.0.0 53.141.108.209 0.0.0.0 UG 0 0 0 eth1
IPCOP 2 (RED IP - 92.198.180.108)
THis machine is just lookung to the internet without any routing.
ISP's gateway is 92.198.180.1. From this side i cannot ping 172.30.1.253 (IPCop's 1 green IP) at all. None from IPCop machine, none from green network.
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
92.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
92.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
172.30.1.0 92.198.180.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 92.198.180.1 0.0.0.0 UG 0 0 0 eth1
VPN tunnel is not OpenVPN. Just a standard IPCop vpn tunnel with pre-shared key.
18 years 9 months ago #13241
by DaLight
Replied by DaLight on topic Re: IPCop and Net-to-Net VPN
Strange, the tables appear to be OK. One thing to point out though is that you will not be able to ping remote GREEN networks from the IPCOPs themselves. You will only be able to ping from the GREEN networks. So the the fact that you can't ping from the IPCOPs is not a problem.
You mentioned that you could ping IPCOP2's green IP from IPCOP1's green network. You could not however ping machines in IPCOP2's green network. Have you checked that the machines you're trying to ping don't have personal firewalls enabled (such as in XPSP2)?
This still doesn't explain why you cannot ping IPCOP1's green IP from IPCOP2's green network. You may try a trace route.
Anyway, check out the personal firewalls and let us the results.
You mentioned that you could ping IPCOP2's green IP from IPCOP1's green network. You could not however ping machines in IPCOP2's green network. Have you checked that the machines you're trying to ping don't have personal firewalls enabled (such as in XPSP2)?
This still doesn't explain why you cannot ping IPCOP1's green IP from IPCOP2's green network. You may try a trace route.
Anyway, check out the personal firewalls and let us the results.
Time to create page: 0.131 seconds