Dear all,
I am trying to connect a third party network, through IPSEC, and do not succeed due to routing problems. The authentication is enforced by PSK The key was provided by the third party network administrator. The IPSEC tunnel must be established by the external addresses of the VPN gateways in order to access the other party´s host S.S.S.s.
The IPSEC tunnel is well-established, but I am struggling to get communication flow between both sides through the tunnel.
When I traceroute from internal host 172.16.X.a to remote host S.S.S.s, I get replies from ASL and all other hops along the Internet (some reply, some drop, some reject ICMP). I guess these hops shoud not appear since the data (was intended to) pass inside the tunnel.
On packet filtering, I added rules to allow both incoming and outgoing flow from/to my internal host and the network on the other side.
We have several VPN well-established with many branch-offices, but using RSA instead, and the tunnels connect our internal net with internal nets of the remote offices. Unfortunately, we can not use this kind of setup due to restrictions imposed by the administration guys of other side. When I traceroute from my host to any host in any of these other remote sites, I do not see the hops from Internet. The tunnels hide the Internet hops (as it should be, I guess).
The scenario is as follows. Any help will be appreciated. Thanks in advance:
My side:
Internal Net: 172.16.X.X
VPN Gateway: Astaro Security Linux 3.200.
Internal LAN address: 172.16.X.a
External LAN address: Y.Y.Y.y
Default router (to Internet): Y.Y.Y.r
Internal host made public through SNAT :
Internal LAN address: 172.16.X.b
Public IP through SNAT: Y.Y.Y.z
Third party´s side:
VPN Gateway: Cisco box.
Internal LAN: N/A
External LAN: K.K.K.k
Internal host made public only through IPSEC tunnels:
Valid IP : S.S.S.s
IPSEC Tunnel
Encryption: ESP – 3DES with MD5
Diffie-Hellman Group: 3DES Group 3 (1024-bit prime)
PFS: Disabled
Compression: Disabled
Authentication: PSK
Etc.
Description of the problem:
The IPSEC tunnel is well-established , as seen in the connection log:
000 "VPN_1": Y.Y.Y.y---Y.Y.Y.r...K.K.K.k
000 "VPN_1": ike_life: 7200s; ipsec_life: 7200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "VPN_1": policy: PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK; interface: eth1; erouted
000 "VPN_1": newest ISAKMP SA: #33; newest IPsec SA: #32; eroute owner: #32
000 "VPN_1": ESP algorithms wanted: 3/000-1/000, 3/000-2/000,
000 "VPN_1": ESP algorithms loaded: 3/168-1/128, 3/168-2/160,
And VPN Routes listing:
0 Y.Y.Y.y/32 -> K.K.K.k/32 => tun0x1022@K.K.K.k
NAT Rules:
SRC DEST SRC translation DST Translation
S.S.S.s Y.Y.Y.z do not translate 172.16.X.b
172.16.X.b S.S.S.s Y.Y.Y.z do not Translate
In the kernel routing table there is an entry automatically added:
K.K.K.k via Y.Y.Y.r dev ipsec0
Hope to hear from you soon.
Silver
This thread was automatically locked due to age.
