Michael,
First, the firewall is automatically configured, enabled/disabled, via the
IPsec VPN plugin when the IPsec VPN is enabled/disabled. Nothing to do there.
You need to describe the bigger picture.
1) AstLinux to AstLInux or 3'rd party IPsec endpoint.
2) Are the Local-Net interfaces up and connected to something ?
> 172.30.10.2 175.45.82.8 Nov 10 19:12:14 2016 1800 314
> 0 esp-udp mode=tunnel
This is confusing, a private IP and a public IP, can you explain. Is one
endporint behind NAT which is port forwarded ? which ports are forwarded ?
NAT-T enabled at both ends ?
Here is an example from last year, that might help ...
Below is a copy/paste of a reply to David Kerr in May 28, 2015 [Astlinux-users]
IPsec peer-to-peer network tunnel
================================================================================
Hi David,
Well, there are many things that can go wrong with IPsec since each phase has
options that sort-of need to match, and proper routes.
In AstLinux this is automagically all done for you, so first start with an
example...
I have two of my test boxes, sitting on the same private subnet, 10.10.50.64
and 10.10.50.65
======= pbx3 ========
pbx3 ~ # ip route
default via 10.10.50.1 dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.8.1.0/24 dev tun2 proto kernel scope link src 10.8.1.2
10.10.50.0/24 dev eth0 proto kernel scope link src 10.10.50.64
192.168.101.0/24 dev eth1 proto kernel scope link src 192.168.101.1
192.168.103.0/24 dev eth1.10 proto kernel scope link src 192.168.103.1
192.168.110.0/24 via 10.8.1.1 dev tun2
192.168.111.0/24 dev eth1 scope link src 192.168.101.1
192.168.222.0/24 dev eth3 proto kernel scope link src 192.168.222.1
pbx3 ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:30:18:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.10.50.64/24 brd 10.10.50.255 scope global eth0
inet6 2001:470:xxxx:x::x/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::230:18ff:fec7:ae9d/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:30:18:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.101.1/24 brd 192.168.101.255 scope global eth1
inet6 2001:470:xxxx:x::x/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::230:18ff:fec7:ae9e/64 scope link
valid_lft forever preferred_lft forever
...
======= pbx4 ========
pbx4 ~ # ip route
default via 10.10.50.1 dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.10.50.0/24 dev eth0 proto kernel scope link src 10.10.50.65
192.168.101.0/24 dev eth1 scope link src 192.168.111.1
192.168.102.0/24 dev eth2 proto kernel scope link src 192.168.102.1
192.168.103.0/24 dev eth4 proto kernel scope link src 192.168.103.1
192.168.111.0/24 dev eth1 proto kernel scope link src 192.168.111.1
192.168.200.0/24 dev eth3 proto kernel scope link src 192.168.200.1
pbx4 ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:90:0b:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.10.50.65/24 brd 10.10.50.255 scope global eth0
inet6 2001:470:xxxx:x::x/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::290:bff:fe36:9b78/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:90:0b:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.111.1/24 brd 192.168.111.255 scope global eth1
inet6 2001:470:xxxx:x::x/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::290:bff:fe36:9b79/64 scope link
valid_lft forever preferred_lft forever
...
This should give you some info to chew on.
Yes, your "br1" route is correct, AstLinux finds the interface associated with
your "Local-Net" and hooks the "Remote-Net" to that interface. Which means the
"br1" link must be up or there will be issues. Personally I have never used a
bridge interface, but it should work as well.
AstLinux handles all the firewall stuff for you, as well as all the routes.
So, at this point if the associations are up and running, your phase options
should be compatible, set logging to "Info" for more detail.
My guess is a route is needed on your cloud IPsec to point back to your local
net.
Also if your have residential internet access, possibly they will block ESP
packets, enabling NAT-T will use 4500/UDP instead.
Lonnie
Note: Seeming since these are both on the same subnet I had to specify
"Local-Host" and not use the 0.0.0.0 wildcard, it seems.
================================================================================
Lonnie
On Nov 10, 2016, at 2:19 AM, Michael Knill <michael.kn...@ipcsolutions.com.au>
wrote:
> Are there any issues with this SA list?
>
> Source Destination Created
> Lifetime Age Bytes Type
> 123.209.118.117 175.45.82.8 Nov 10 19:17:20 2016 30 8
> 0 esp mode=tunnel
> 172.30.10.2 175.45.82.8 Nov 10 19:12:14 2016 1800 314
> 0 esp-udp mode=tunnel
> 175.45.82.8 172.30.10.2 Nov 10 19:12:14 2016 1800 314
> 5216 esp-udp mode=tunnel
>
> Regards
> Michael Knill
>
> -----Original Message-----
> From: Michael Knill <michael.kn...@ipcsolutions.com.au>
> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Date: Thursday, 10 November 2016 at 7:01 PM
> To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Subject: [Astlinux-users] Setting up IPsec peers
>
> Hi group
>
> I am really struggling to set up both of my first ipsec peers to Astlinux.
> The IPSec Associations seem to come up but I cannot send any data. The route
> appears in the routing table.
> Is there any information on doing this? Do I need any firewall rules?
>
> Regards
> Michael Knill
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
