Hello,
I am still almost in the same point.
If I want to reach my GW88_LAN I have to check "use default gateway on remote
network" box (Windows roadwarrior), but this option makes me reaching the
internet through GW88.
I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's "local"
gateway for the rest of the traffic - unchecked box "use default gateway on
remote network".
If the box is unchecked I am not able to access 192.168.2.0/24.
What should I change in my confs to get it working in this manner?
GW88# grep "^[^#;]" /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass out quick on egress inet received-on enc0 nat-to (egress)
pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
GW88# grep "^[^#;]" /etc/iked.conf
ikev2 "roadWarrior" passive esp \
from 0.0.0.0/0 to 10.0.1.0/24 \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server 8.8.8.8
On Fri, 30 Nov 2018 15:06:28 +0100
Radek <[email protected]> wrote:
> Hello,
>
> Thank all of you for your time and your help in this matter!
> I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates.
> I have moved VPN server and clients out of A.B.C.0/23. They can connect
> pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to
> VPN serv.
> Site-to-Site VPN is doing its job.
>
> The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if
> "use default gateway on remote network" is set.
> I need to make road_warriors:
> - reaching GW88_LAN_machines 192.168.2.254/24
> - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> - force road_warriors to use its own gateway for the rest of traffic -
> unticked "use default gateway on remote network".
>
> I was playing around with iked.conf and pf.conf but I did not find the way to
> make it work.
> I will be grateful if anyone could help me with that.
>
> My network diagram and configs of GW88:
>
> GW88$ cat /etc/hostname.enc0
> inet 10.0.1.254 255.255.255.0
>
> GW88$ cat /etc/iked.conf
> #
> ikev2 "roadWarrior" passive esp \
> from 192.168.2.0/24 to 10.0.1.0/24 \
> local 4.5.6.88 peer any \
> srcid 4.5.6.88 \
> config address 10.0.1.0/24
> #
> #
> remote_gw_GW119 = "1.2.3.119" # fw_GW119
> remote_lan_GW119_1 = "172.16.1.0/24"
> remote_lan_GW119_2 = "172.16.2.0/24"
>
> local_gw_GW88_2 = "192.168.2.254"
> local_lan_GW88_2 = "192.168.2.0/24"
>
> ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
> psk "pkspass"
>
> ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
> psk "pskpass"
>
>
> GW88$ cat /etc/pf.conf
> set skip on {lo, enc}
>
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
>
> match out on egress from lan:network to any nat-to egress
>
> block log all
> pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> pass in on egress proto {ah,esp}
> pass out on egress
> pass on lan
>
> table <bruteforce> persist counters
> pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags
> S/SA \
> set prio (6, 7) keep state \
> (max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce>
> flush global)
>
> icmp_types = "{ echoreq, unreach }"
> pass inet proto icmp all icmp-type $icmp_types
>
>
>
> +------------+
> |road_warrior|
> +---------+10.0.1.0/24 |
> | +------------+
> |
> ikev2
> |
> |
> v
>
> 4.5.6.88 1.2.3.119
> +---------+ +----------+
> | |
> | GW88 | <--+site-to-site VPN+------> | GW119 |
> +--+------+ +-------+--+
> | |
> +-----+192.168.1.254/24 |
> | |
> | 172.16.1.254/24---+
> | |
> +---+-+192.168.2.254/24 |
> | | |
> | | +-----------+ |
> | +---+192.168.2.1| 172.16.2.254/24---|
> | +------------+
> |
> |----+192.168.3.254/24
>
> Thanks!
>
> On Thu, 8 Nov 2018 14:04:23 +0100
> Radek <[email protected]> wrote:
>
> > I've been playing around with netcat.
> > I noticed that the netcat process on my VPN_server does not show any "X" on
> > stdout for ports 4500 and 1701.
> >
> > May it be relevant to my VPN issue?
> >
> > VPN_serv is A.B.C.77/23 (it is not behind NAT):
> >
> > $ pfctl -s rules
> > pass all flags S/SA
> >
> > $ nc -u -l 500
> > XXXX
> >
> > X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
> > A.B.C.69/23$ nc -vuz A.B.C.77 4500
> > $ nc -u -l 4500
> > NOTHING IS HERE
> >
> > $ nc -u -l 4499
> > XXXX
> >
> > $ nc -u -l 4501
> > XXXX
> >
> > X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
> > A.B.C.69/23$ nc -vuz A.B.C.77 1701
> > $ nc -u -l 1701
> > NOTHING IS HERE
> >
> > $ nc -u -l 22
> > XXXX
> >
> > $ nc -u -l 1234
> > XXXX
> >
> > On Wed, 7 Nov 2018 12:17:09 +0100
> > Radek <[email protected]> wrote:
> >
> > > Yesterday I tried this scenario:
> > >
> > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
> > > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
> > > VPN_IKEv2 - A.B.C.77/23, not NATed
> > >
> > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having
> > > two active VPN conn in one time.
> > > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working
> > > fine.
> > >
> > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2
> > > omitting VPN_L2TP - I got 809.
> > >
> > > Removing home_router which is between Win7_warrior and 1.2.3.119 does not
> > > change anything.
> > >
> > > Another thing:
> > > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server.
> > > Then I move to public A.B.C.77/23 editing /etc/hostname, mygate,
> > > resolv.conf. Maybe I missed something in network conf that is important
> > > for OpenIKED?
> > >
> > > Any idea?
> > >
> > >
> > > On Tue, 6 Nov 2018 11:21:52 +0100
> > > Radek <[email protected]> wrote:
> > >
> > > > Hello Kim,
> > > >
> > > > > My question was concerning the VPN_server, is the server NATed?
> > > > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
> > > >
> > > > > How is A.B.C.0/23 connected to the 'rest' of the world?
> > > > > Router/Firewall ...
> > > > I only have switches in my building.
> > > > All routers/firewalls of my network are in another building, I do not
> > > > know the whole network structure, devices, security policies... but I
> > > > have never noticed that any ports were blocked.
> > > >
> > > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it
> > > > works like a charm.
> > > > https://community.riocities.com/openike_openbsd.html
> > > > But I can not setup a VPN_server for road warriors.
> > > >
> > > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can
> > > > connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM
> > > > network).
> > > > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude
> > > > that it is not any Router/FW problem.
> > > >
> > > > On Tue, 6 Nov 2018 07:48:37 +0100
> > > > Kim Zeitler <[email protected]> wrote:
> > > >
> > > > > Good morning Radek,
> > > > >
> > > > > I have a suspicion ...
> > > > >
> > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and
> > > > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not
> > > > > > matter if warrior has public IP or it is behind NAT). The rest of
> > > > > > the world fails to connect the VPN_server.
> > > > > My question was concerning the VPN_server, is the server NATed?
> > > > > How is A.B.C.0/23 connected to the 'rest' of the world?
> > > > > Router/Firewall ...
> > > > >
> > > > > Cheers,
> > > > > Kim
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > radek
> > >
> > >
> > > --
> > > radek
> >
> >
> > --
> > radek
>
>
> --
> radek
--
radek
