Hello everybody,
I migrated from IPCop which works for me over years now to ASG Ver 7.504 to get some praxis with this system. I'm running it as sw appliance on standard PC hardware.
What I want to do (and get running now) is the following thing:
I have 4 NICs
1 x internet
1 x intranet (LAN)
1 x extranet (WLAN)
1 x dmz
Because default WLAN encryption doesn't fit my needs I implemented a solution on my old IPCop which encpryts all traffic from LAN to WLAN and vice versa by IPSec. As mentioned above it works fine over years - but to establish it costs me a lot of time, sadly.
No I tried to built up the same configuration on my Astaro and got it running basically. This means I'm configured Client-to-Site with PSK on my ASG and made the related entrees in the Shrew Soft VPN client running on a client in WLAN.
I defined the related package filter rules on the ASG and all works fine as long as the tunnel is up. This means a tcpdump on the extranet interface shows EXP and
ISAKMP packages only.
But, my problem is the following: When the tunnel is down, the packages are transmitted also - only unencrypted!
This is want I want to prevent. How can I change my configuration on the ASG so that the extranet interface accepts IPSec-Traffic (EXP & ISAKMP) only (may be accept DHCP queries to and send DHCP offers from the DHCP-Server too, but this is no "must have").
This would mean the ASG WLAN inerface should accept the IPSec encrypted traffic only, should unencrypted it and then look if there are package rules which fit.
On the other hand let's say I'd like to do a RDP session from the intranet (LAN) over the IPSec tunnel to a client in the extranet (WLAN). This works fine and
encrypted as long as the tunnel is up.
But, it works also (but unencrypted) when the tunnel is down. I'd like to force my ASG to use the VPN tunnel - or stop sending traffic if the tunnel is down.
How to realize this? Any ideas? Any kind of help/support/hints would be greatly appreciated!
By for now
Guido
This thread was automatically locked due to age.
