VPN ok, but no traffic on it…

psylo

Ok. So, nothing appears on the LAN interface. So, it should be a firewalling problem… Do you have any rule which permits traffic from your LAN to the Netasq LAN?

Last, I suppose there is no route for the range 192.168.50.x on the Netasq. I mean: this range is not known by the Netasq except for your IPSEC tunnel.

sap68

@psylo:

Ok. So, nothing appears on the LAN interface. So, it should be a firewalling problem… Do you have any rule which permits traffic from your LAN to the Netasq LAN?

Last, I suppose there is no route for the range 192.168.50.x on the Netasq. I mean: this range is not known by the Netasq except for your IPSEC tunnel.

I have a rule that passAll on IPSec interface from any -> "networks internals" (LAN range)
Do you think it's necessary a static route for 192.168.50.x range?
Thank again for your help!

psylo

You don't need to add a route except if the IPsec is configured to "consider IPsec peer as internal". If IPsec is configured like that, you need to add a static route pointing to interface IPsec.

By the way, can you send a screenshot of the firewall rules on the Netasq?

I'll be unavailable for 1 hour.

sap68

@psylo:

You don't need to add a route except if the IPsec is configured to "consider IPsec peer as internal". If IPsec is configured like that, you need to add a static route pointing to interface IPsec.

By the way, can you send a screenshot of the firewall rules on the Netasq?

I'll be unavailable for 1 hour.

Ok, thanks!

This are the first 15 rules…

Rule number 12 it's this VPN.
Rule from 5 to 11 it's others (worked!) VPN...

![Schermata 2011-02-19 a 10.50.42.png_thumb](/public/imported_attachments/1/Schermata 2011-02-19 a 10.50.42.png_thumb)
![Schermata 2011-02-19 a 10.50.42.png](/public/imported_attachments/1/Schermata 2011-02-19 a 10.50.42.png)

psylo

Ok… The point is that you need to be authenticated on the Netasq before your traffic is allowed. This is the @ in the source column...

So, either you change that to get rid of the authentication. Either you authenticate yourself on the Netasq web interface...

Well, as we speak about IPSec tunnel, I strongly recommend to disable the authentication for those traffic (as traffics are already trusted).

sap68

@psylo:

Ok… The point is that you need to be authenticated on the Netasq before your traffic is allowed. This is the @ in the source column...

So, either you change that to get rid of the authentication. Either you authenticate yourself on the Netasq web interface...

Well, as we speak about IPSec tunnel, I strongly recommend to disable the authentication for those traffic (as traffics are already trusted).

Oh YES!
That work!

The problem is in the rule 12, I modify the rule so I permit traffic from 192.168.50.0 to Networks internal and now it worked!!!

MANY THANKS guys!

psylo

Great news but as said in my previous post, I strongly recommends 2 things for IPSec filtering:

disable authentication for IPSec tunnel as those traffic are already trusted. Except if you need authentication for HTTP proxy for example.
use network object (as you've done for your tunnel) for each tunnel…

sap68

@psylo:

Great news but as said in my previous post, I strongly recommends 2 things for IPSec filtering:

disable authentication for IPSec tunnel as those traffic are already trusted. Except if you need authentication for HTTP proxy for example.

use network object (as you've done for your tunnel) for each tunnel…

Disable auth.: I must disabled auth. also for IPsec mobile connection?

Thanks…

psylo

@sap68:

@psylo:

Great news but as said in my previous post, I strongly recommends 2 things for IPSec filtering:

disable authentication for IPSec tunnel as those traffic are already trusted. Except if you need authentication for HTTP proxy for example.

use network object (as you've done for your tunnel) for each tunnel…

Disable auth.: I must disabled auth. also for IPsec mobile connection?

Thanks…

Well… Actually, I don't know why you use Authentication for VPN tunnel (rules 5 to 11)... Normally, It's not necessary... But If you do that, you'll need to configure network objects defining all your remote networks in order to avoir security holes... Do you see what I mean?

sap68

@psylo:

@sap68:

@psylo:

Great news but as said in my previous post, I strongly recommends 2 things for IPSec filtering:

disable authentication for IPSec tunnel as those traffic are already trusted. Except if you need authentication for HTTP proxy for example.

use network object (as you've done for your tunnel) for each tunnel…

Disable auth.: I must disabled auth. also for IPsec mobile connection?

Thanks…

Well… Actually, I don't know why you use Authentication for VPN tunnel (rules 5 to 11)... Normally, It's not necessary... But If you do that, you'll need to configure network objects defining all your remote networks in order to avoir security holes... Do you see what I mean?

Yes, I understand.

I use this particular configuration (made with netasq support) for consent access from outside for some customer that needed access on particular server inside LAN.
Authentication VPN from <<any>> host it's (i think) only method to obtain the goal.
In particular I have a rule for every mobile access and i pass all traffic only to a host.

In you opinion it is a flaw in security?

Thanks…</any>

psylo

Ok… You're in an exception and this is not a security hole.
If you use only "any" as source, it could be a security hole but not with authentication.

BTW, good news your tunnel is working.