Here are the configuration details:
Code:
RemoteClient Internet Router
|
|
AstaroFW
|
|------------|
| |
| VPNServer(Multihomed)
| |
| |
| |
|____________|____________
|
|
Intranet
- Astaro Firewal has 2 NICs, one with external IP and one with Internal IP.
- VPN Server has 2 NICs, one with external IP and one with internal IP. The VPN server also runs DHCP so that the VPN clients will get internal IP addresses.
Please note that the Intranet hosts *and* VPN's external (and internal) NIC are both on the same "wire" (hub).
Internal IPs are 192.168.26.0/24
- On Astaro, I have packet filters saying:
From AnyClient ALLOW udp/50 (ESP) to VPNExternIP
From AnyClient ALLOW udp/500 (ISAKMP) to VPNExternIP
From AnyClient ALLOW udp/1701 (L2TP) to VPNExternIP
From AnyClient ALLOW udp/4500 (NAT-T) to VPNExternIP
From VPN_ExternIP ALLOW AnyTraffic to AnyClient
- I have a static routing entry in the AstaroFW that says:
All traffic for VPNExternIP put it on the InternalInterface.
- The Astaro has a default masquerading entry:
Code:
Default Masquerading Intern_Network__ -> All / All MASQ__External None
- The VPN Server network configuration:
a) VPNExternalNIC:
ExternalIP address
Default gateway is the external IP of Astaro
b) VPNInternalNIC:
InternalIP Address
Default gateway is the internal IP of astaro
- All intranet hosts has the AstaroFW as their default gateway.
Now, if I tried to establish VPN connection from a host on the intranet with the intranet address of the VPN, it works just fine.
I can ping the VPNExternalIP just fine. However, if I try to establish VPN connection from a host on the intranet/internet with the extenral IP of the VPN, it DOES NOT work.
What else needs to be done to get this configuration to work? Do I need to allow udp/51 (AH) packets?
Any help would be very much appreciated.
Thanks
Prasad
This thread was automatically locked due to age.
