Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 3303 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

tunnel is up, but network is not reachable

Steffen_Schulz
Hi!

I´m a newby in vpn.
I have a problem with a vpn-tunnel (x.509).

10.0.0.0/8 == FW1 === internet === FW2 == 192.168.2.0/24

FW1 has a static IP, FW2 a dynamic.

Now my problem.

The vpn-tunnel is up, it seems, but i cannot reach the other neetwork.
I created rules like source:network1 service:any destination:network2 allow,
but if i make a traceroute from the network1 to 192.168.2.75, then it reaches the internal interface of the firewall, and then comes timeouts. The FW has a route to the remote network.

"192.168.2.0/24 dev ipsec0  table 42  scope link"

The routes and rules exists on both firewalls.

Any hints?  


This thread was automatically locked due to age.
Parents
  • 0
    Just an idea. If you ping/traceroute from the firewall you have to specify the source address, because otherwise the tunnel will not be used for your test. Use the internal IP of the firewall, e.g.

    ping -I 10.0.0.100 192.168.2.75
    or
    traceroute -s 10.0.0.100 192.168.2.75

    Both firewalls must be configured to forward ICMP. If the tunnel is up you should see something like this under IPSEC VPN->Connections->VPN Routes:

    18918      172.25.0.0/16:0    -> 192.168.0.0/24:0   => tun0x132a@xxx.xxx.xxx.xxx:0

    The IPSec status should contain: IPsec SA established

    Greetings,
    asc  
Reply
  • 0
    Just an idea. If you ping/traceroute from the firewall you have to specify the source address, because otherwise the tunnel will not be used for your test. Use the internal IP of the firewall, e.g.

    ping -I 10.0.0.100 192.168.2.75
    or
    traceroute -s 10.0.0.100 192.168.2.75

    Both firewalls must be configured to forward ICMP. If the tunnel is up you should see something like this under IPSEC VPN->Connections->VPN Routes:

    18918      172.25.0.0/16:0    -> 192.168.0.0/24:0   => tun0x132a@xxx.xxx.xxx.xxx:0

    The IPSec status should contain: IPsec SA established

    Greetings,
    asc  
Children
No Data
Cookie Information Banner