VPN ok, but no traffic on it…

psylo

If you dump on interface in, you'll normally see "deencapsulated" traffic and thus the source IP is the LAN IP (192.168.50.198).

sap68

@psylo:

If you dump on interface in, you'll normally see "deencapsulated" traffic and thus the source IP is the LAN IP (192.168.50.198).

You're right, but i have no luck :-/

U120XA0A0804150>tcpdump -ni eth0 host 192.168.50.198 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
0 packets captured
2637 packets received by filter
0 packets dropped by kernel

psylo

Ok. So, nothing appears on the LAN interface. So, it should be a firewalling problem… Do you have any rule which permits traffic from your LAN to the Netasq LAN?

Last, I suppose there is no route for the range 192.168.50.x on the Netasq. I mean: this range is not known by the Netasq except for your IPSEC tunnel.

sap68

@psylo:

Ok. So, nothing appears on the LAN interface. So, it should be a firewalling problem… Do you have any rule which permits traffic from your LAN to the Netasq LAN?

Last, I suppose there is no route for the range 192.168.50.x on the Netasq. I mean: this range is not known by the Netasq except for your IPSEC tunnel.

I have a rule that passAll on IPSec interface from any -> "networks internals" (LAN range)
Do you think it's necessary a static route for 192.168.50.x range?
Thank again for your help!

psylo

You don't need to add a route except if the IPsec is configured to "consider IPsec peer as internal". If IPsec is configured like that, you need to add a static route pointing to interface IPsec.

By the way, can you send a screenshot of the firewall rules on the Netasq?

I'll be unavailable for 1 hour.

sap68

@psylo:

You don't need to add a route except if the IPsec is configured to "consider IPsec peer as internal". If IPsec is configured like that, you need to add a static route pointing to interface IPsec.

By the way, can you send a screenshot of the firewall rules on the Netasq?

I'll be unavailable for 1 hour.

Ok, thanks!

This are the first 15 rules…

Rule number 12 it's this VPN.
Rule from 5 to 11 it's others (worked!) VPN...


psylo

Ok… The point is that you need to be authenticated on the Netasq before your traffic is allowed. This is the @ in the source column...

So, either you change that to get rid of the authentication. Either you authenticate yourself on the Netasq web interface...

Well, as we speak about IPSec tunnel, I strongly recommend to disable the authentication for those traffic (as traffics are already trusted).

sap68

@psylo:

Ok… The point is that you need to be authenticated on the Netasq before your traffic is allowed. This is the @ in the source column...

So, either you change that to get rid of the authentication. Either you authenticate yourself on the Netasq web interface...

Well, as we speak about IPSec tunnel, I strongly recommend to disable the authentication for those traffic (as traffics are already trusted).

Oh YES!
That work!

The problem is in the rule 12, I modify the rule so I permit traffic from 192.168.50.0 to Networks internal and now it worked!!!

MANY THANKS guys!

psylo

Great news but as said in my previous post, I strongly recommends 2 things for IPSec filtering:

• disable authentication for IPSec tunnel as those traffic are already trusted. Except if you need authentication for HTTP proxy for example.

• use network object (as you've done for your tunnel) for each tunnel…

sap68

@psylo:

Great news but as said in my previous post, I strongly recommends 2 things for IPSec filtering:

• disable authentication for IPSec tunnel as those traffic are already trusted. Except if you need authentication for HTTP proxy for example.

• use network object (as you've done for your tunnel) for each tunnel…

Disable auth.: I must disabled auth. also for IPsec mobile connection?

Thanks…

psylo

@sap68:

@psylo:

Great news but as said in my previous post, I strongly recommends 2 things for IPSec filtering:

• disable authentication for IPSec tunnel as those traffic are already trusted. Except if you need authentication for HTTP proxy for example.

• use network object (as you've done for your tunnel) for each tunnel…

Disable auth.: I must disabled auth. also for IPsec mobile connection?

Thanks…

Well… Actually, I don't know why you use Authentication for VPN tunnel (rules 5 to 11)... Normally, It's not necessary... But If you do that, you'll need to configure network objects defining all your remote networks in order to avoir security holes... Do you see what I mean?

sap68

@psylo:

@sap68:

@psylo:

Great news but as said in my previous post, I strongly recommends 2 things for IPSec filtering:

• disable authentication for IPSec tunnel as those traffic are already trusted. Except if you need authentication for HTTP proxy for example.

• use network object (as you've done for your tunnel) for each tunnel…

Disable auth.: I must disabled auth. also for IPsec mobile connection?

Thanks…

Well… Actually, I don't know why you use Authentication for VPN tunnel (rules 5 to 11)... Normally, It's not necessary... But If you do that, you'll need to configure network objects defining all your remote networks in order to avoir security holes... Do you see what I mean?

Yes, I understand.

I use this particular configuration (made with netasq support) for consent access from outside for some customer that needed access on particular server inside LAN.
Authentication VPN from <<any>> host it's (i think) only method to obtain the goal.
In particular I have a rule for every mobile access and i pass all traffic only to a host.

In you opinion it is a flaw in security?

Thanks…</any>

psylo

Ok… You're in an exception and this is not a security hole.
If you use only "any" as source, it could be a security hole but not with authentication.

BTW, good news your tunnel is working.