Skip to main content

IPCop and Net-to-Net VPN

More
18 years 9 months ago #13206 by Alexey
Good day, everyone. I've installed IPCop firewalls on 2 separate boxes (both configured GREEN+RED). Created a VPN tunnel between them (status open), but pings from both internal networks to another end do not go.
What am I doing wrong? Where to check?


GREEN - 172.30.1.0
RED - Y.Y.Y.Y
IPCOP
|
|
INTERNET
|
|
IPCOP
RED - X.X.X.X
GREEN - 192.168.100.0
More
18 years 9 months ago #13208 by DaLight
You stated that a tunnel was created with a status of "OPEN", but you cannot ping machines behind the IPCOPs.

1. Check that you've entered the correct values for the "Local Subnet" in the VPN setup screen on both IPCOPs.
2. Use the route command to print out your routing table to ensure that the correct routes are in place.
More
18 years 9 months ago #13216 by Alexey
Replied by Alexey on topic Routing table
Thank you for fast answer. Please find the roting tables from both sides here:

IPCOP 1 (RED IP - X.X.X.212)

192.168.100.0 X.X.X.209 255.255.255.0 UG 0 0 0 ipsec0
172.30.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
0.0.0.0 X.X.X.209 0.0.0.0 UG 0 0 0 eth1

IPCOP 2 (RED IP - Y.Y.Y.108)

192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
82.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
82.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
172.30.1.0 Y.Y.Y.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 Y.Y.Y.1 0.0.0.0 UG 0 0 0 eth1

It seemes to be correct.
More
18 years 9 months ago #13219 by DaLight
Sorry, Alexey. I can't quite get my head round the tables due to the missing numbers. Reading routing tables is not one of my strongest points! Would you be able to repost the original network map with all the internal/external IPs and labelled IPCOPs. And then could you print the routing tables without obscured IPs. I understand your not wanting to put in the real IPs, so could you please replace them with fake ones. I want to be sure that you have not left anything out.
Could you also put in any routers in your network path with IPs as well.

On the other hand, if anyone else can make sense of the above tables, please jump in.
More
18 years 9 months ago #13220 by Alexey
Replied by Alexey on topic Re: IPCop and Net-to-Net VPN
No problem. Here is the real configuration with fake ip's.

IPCOP 1 (RED IP - 53.141.108.212)

53.141.108.209 is an IP of Cisco 1700 router standing between IPCop (53.141.108.212) and the outside world. But it could not be a problem, because it doesnot filter anything at all. There is a second Firewall standing behind it (separate outside IP, of course), and it works ok.
From this side (green network) I can ping 192.168.100.253 (IPCop's 2 green IP), but none inside of the network.
From IPCOP1 itself I cannot ping 192.168.100.253.

192.168.100.0 53.141.108.209 255.255.255.0 UG 0 0 0 ipsec0
172.30.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
53.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
53.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
0.0.0.0 53.141.108.209 0.0.0.0 UG 0 0 0 eth1

IPCOP 2 (RED IP - 92.198.180.108)

THis machine is just lookung to the internet without any routing.
ISP's gateway is 92.198.180.1. From this side i cannot ping 172.30.1.253 (IPCop's 1 green IP) at all. None from IPCop machine, none from green network.

192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
92.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
92.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
172.30.1.0 92.198.180.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 92.198.180.1 0.0.0.0 UG 0 0 0 eth1


VPN tunnel is not OpenVPN. Just a standard IPCop vpn tunnel with pre-shared key.
More
18 years 9 months ago #13241 by DaLight
Strange, the tables appear to be OK. One thing to point out though is that you will not be able to ping remote GREEN networks from the IPCOPs themselves. You will only be able to ping from the GREEN networks. So the the fact that you can't ping from the IPCOPs is not a problem.

You mentioned that you could ping IPCOP2's green IP from IPCOP1's green network. You could not however ping machines in IPCOP2's green network. Have you checked that the machines you're trying to ping don't have personal firewalls enabled (such as in XPSP2)?

This still doesn't explain why you cannot ping IPCOP1's green IP from IPCOP2's green network. You may try a trace route.

Anyway, check out the personal firewalls and let us the results.
Time to create page: 0.131 seconds