Re: [Vyatta-users] IPSec VPN - almost working! Help please...
Hey Robyn,
Yeah, I guess I didn't give you the whole story. The vyatta "machine" is
your VMWare image, which is behind a $50 firewall router. So the
0.0.0.0/0static route to
10.0.2.1 is to go through that router before hitting the internet. The
VMware box is in the DMZ, so it seems like it should be ok that way. But of
course this complicates things in that everything is going through eth0.
Probably not the best way to do it but really my only choice since it's not
on dedicated hardware.
I am confused as to why you have the vyatta and netgear both on the same
private subnet over the internet - shouldn't these be public internet
addresses in this case? That is the scenario.
And to answer your question about the tunnel, traffic is definitely going
both ways. Doing a show sa stats does in fact prove this - I see bytes both
in and out. So I'm lead to believe that the tunnel itself is just fine, and
maybe even the vyatta machine is fine and for some reason the netgear isn't
routing over the tunnel. Maybe my static route is screwed up?
Anyway, beyond that I probably can't follow - I'm not too savvy about
routing. But like I said it definitely works one way. I can even pull up web
pages hosted on the remote network (.0.0) on the local network (.2.0) with
no problems whatsoever. Just can't do the same from the remote network back.
Confusing indeed.
Thanks again for the help.
Dan
On 10/22/07, Robyn Orosz <[EMAIL PROTECTED]> wrote:
>
> Hi Dan,
>
> I'm not sure how you are able to ping the devices behind the Netgear but
> it's most likely not via the VPN tunnel. If traffic is only passing one-way
> on a tunnel you normally wouldn't see the return packets from your pings.
> If you run a 'show vpn ipsec sa statistics' on the Vyatta router, I'm
> thinking you'll see 0 bytes in and out but let me know.
>
> Normally a VPN network to network tunnel will look something like-->
>
>
> Internet
> Vyatta eth1 Vyatta eth0
> - Netgear WAN Netgear LAN
> 10.0.2.0/24 10.0.1.1/24 <http://10.0.0.0/24>
> 10.0.1.2/24 <http://10.0.2.0/24>
> 10.0.0.0/24
>|
>
> |
>
> --
>
>
> VPN <http://10.0.0.0/24>
>
> It's a bit odd to have the local subnet and the peering address on the
> same network. I'm thinking this in itself will probably prevent you from
> passing traffic over the tunnel because if you're directly connected to
> another device with the 10.0.2.0/24 network, it will ARP for devices with
> an address of 10.0.2.x rather than forward their packets to the Vyatta
> router.
>
> Also, your routers don't need a static route for the VPN tunnel networks
> as the VPN tunnel serves as a connected route to the network on the other
> side of the tunnel on each router.
>
> Is this a lab setup where both routers are hooked up via a switch of some
> sort or is this VPN connection over the internet? It looks like you have at
> least one other device between the Netgear and the Vyatta router?
>
> Thank you,
>
> Robyn
>
> Dan Murray wrote:
>
> Hi Robyn,
>
> Thanks for the clarification, its a big help. Here's my setup:
>
> Vyatta --- Netgear
> 10.0.2.0/24 VPN 10.0.0.0/24
>
> I can ping anything on the Netgear network from the vyatta box. I cannot
> ping to the vyatta network from the netgear box. I have created a static
> route on the netgear for 10.0.2.0/24 to use gateway 10.0.2.2 (the vyatta
> IP).
>
> Here's my config:
>
> protocols {
> static {
> disable: false
> route 0.0.0.0/0 {
> next-hop: 10.0.2.1
> metric: 1
> }
> route 10.0.0.0/24 {
> next-hop: 10.0.0.1
> metric: 1
> }
> }
> }
> policy {
> }
> interfaces {
> restore: false
> loopback lo {
> description: ""
> }
> ethernet eth0 {
> disable: false
> discard: false
> description: ""
> hw-id: 00:0C:29:F5:B5:2F
> duplex: "auto"
> speed: "auto"
> address 10.0.2.2 {
> prefix-length: 24
> disable: false
> }
> }
> ethernet eth1 {
>
Re: [Vyatta-users] IPSec VPN - almost working! Help please...
> interface until you get traffic passing as the firewall may make this > issue more difficult to pinpoint. > > The Vyatta router allows all packets through by default. There is no > firewall unless you explicitly configure one. > > Are you using NAT on either device? Because NAT has the potential to > cause problems when passing traffic over a tunnel. All packets must > match the left and right subnets in order to enter the VPN tunnel. If > they are modified in any way by some sort of NAT rule, they won't be > allowed to enter the tunnel. So, if you're NAT'ing on the Netgear > you'll need to find a way to exclude VPN packets from being NAT'ted. If > you're NAT'ing on the Vyatta router, you'll need to do the same. > > If it doesn't appear to be a NAT issue, you may want to post your > configs so we can make sure everything looks correct otherwise. > > Thanks! > > Robyn > > Dan Murray wrote: > > Yes, both tunnels are up. I doubt the tunnels are the problem. As I > > said I can use the tunnel just fine one way (pings go through to > > remote hosts and everything). However coming back toward the vyatta > > net nothing gets through. > > > > I'll look into logging. I still feel like I'm missing a step on the > > vyatta side. Normally with a cisco, after making the route I'd have to > > make a policy to allow packets to that net, but I thought I did that > > already with the firewall command. Maybe there's something else I'm > > missing, routing maybe? > > > > Here's another question - the tunnel is on eth0. When I allow the > > packets, I'm allowing them from eth0 to the local net - which doesn't > > seem right but I don't know how else to do it. Is there another way to > > refer to the tunnel when I'm specifying a network-to-network policy? I > > can't imagine it is included in the adapter it goes over. > > > > Thanks, > > Dan > > > > On 10/21/07, *Justin Fletcher* <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > Do you have both the IKE and IPsec tunnels up? > > > > You can also turn on detailed debug logging in the VPN > configuration; > > that'll give > > you directions to look. > > > > Best, > > Justin > > > > On 10/21/07, Dan Murray < [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > Not sure - I don't know enough about vyatta to know. I tried > > making a > > > firewall rule that allowed that source network to the local > > destination > > > network but it didn't seem to help. Any other ideas? > > > > > > Thanks, > > > Dan > > > > > > > > > On 10/21/07, David Nalley < [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> > wrote: > > > > > > > > > > > > > > > > Hey Dan, > > > > > > > > Just a thought, is it a firewall issue? > > > > > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> on behalf > > > of Dan Murray > > > > Sent: Sun 10/21/2007 6:21 PM > > > > To: vyatta-users@mailman.vyatta.com > > <mailto:vyatta-users@mailman.vyatta.com> > > > > Subject: [Vyatta-users] IPSec VPN - almost working! Help > please... > > > > > > > > Hey guys, > > > > > > > > I was impressed with myself, actually able to get an IPSec > > tunnel up and > > > > running between vyatta and a Netgear router, but I must be > > missing a final > > > > step. The tunnel works just fine, and I made a static route > > for that > > > subnet > > > > and can ping anything on the remote LAN just fine from the > > vyatta machine. > > > > However, I cannot get from the other side of the network (the > > remote side) > > > > back to the vyatta net. Is there anything I need to do on the > > vyatta end > > > to > > > > allow packets to come on through? > > > > > > > > Thanks guys, > > > > > > > > Dan M > > > > > > > > > > > > > > > > > > > > > > > > > ___ > > > Vyatta-users mailing list > > > Vyatta-users@mailman.vyatta.com > > <mailto:Vyatta-users@mailman.vyatta.com> > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > <http://mailman.vyatta.com/mailman/listinfo/vyatta-users> > > > > > > > > > > > > > > > > ___ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec VPN - almost working! Help please...
Yes, both tunnels are up. I doubt the tunnels are the problem. As I said I can use the tunnel just fine one way (pings go through to remote hosts and everything). However coming back toward the vyatta net nothing gets through. I'll look into logging. I still feel like I'm missing a step on the vyatta side. Normally with a cisco, after making the route I'd have to make a policy to allow packets to that net, but I thought I did that already with the firewall command. Maybe there's something else I'm missing, routing maybe? Here's another question - the tunnel is on eth0. When I allow the packets, I'm allowing them from eth0 to the local net - which doesn't seem right but I don't know how else to do it. Is there another way to refer to the tunnel when I'm specifying a network-to-network policy? I can't imagine it is included in the adapter it goes over. Thanks, Dan On 10/21/07, Justin Fletcher <[EMAIL PROTECTED]> wrote: > > Do you have both the IKE and IPsec tunnels up? > > You can also turn on detailed debug logging in the VPN configuration; > that'll give > you directions to look. > > Best, > Justin > > On 10/21/07, Dan Murray <[EMAIL PROTECTED]> wrote: > > Not sure - I don't know enough about vyatta to know. I tried making a > > firewall rule that allowed that source network to the local destination > > network but it didn't seem to help. Any other ideas? > > > > Thanks, > > Dan > > > > > > On 10/21/07, David Nalley < [EMAIL PROTECTED]> wrote: > > > > > > > > > > > > Hey Dan, > > > > > > Just a thought, is it a firewall issue? > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] on behalf > > of Dan Murray > > > Sent: Sun 10/21/2007 6:21 PM > > > To: vyatta-users@mailman.vyatta.com > > > Subject: [Vyatta-users] IPSec VPN - almost working! Help please... > > > > > > Hey guys, > > > > > > I was impressed with myself, actually able to get an IPSec tunnel up > and > > > running between vyatta and a Netgear router, but I must be missing a > final > > > step. The tunnel works just fine, and I made a static route for that > > subnet > > > and can ping anything on the remote LAN just fine from the vyatta > machine. > > > However, I cannot get from the other side of the network (the remote > side) > > > back to the vyatta net. Is there anything I need to do on the vyatta > end > > to > > > allow packets to come on through? > > > > > > Thanks guys, > > > > > > Dan M > > > > > > > > > > > > > > > > > > ___ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec VPN - almost working! Help please...
Not sure - I don't know enough about vyatta to know. I tried making a firewall rule that allowed that source network to the local destination network but it didn't seem to help. Any other ideas? Thanks, Dan On 10/21/07, David Nalley <[EMAIL PROTECTED]> wrote: > > Hey Dan, > > Just a thought, is it a firewall issue? > > > > -Original Message- > From: [EMAIL PROTECTED] on behalf of Dan Murray > Sent: Sun 10/21/2007 6:21 PM > To: vyatta-users@mailman.vyatta.com > Subject: [Vyatta-users] IPSec VPN - almost working! Help please... > > Hey guys, > > I was impressed with myself, actually able to get an IPSec tunnel up and > running between vyatta and a Netgear router, but I must be missing a final > step. The tunnel works just fine, and I made a static route for that > subnet > and can ping anything on the remote LAN just fine from the vyatta machine. > However, I cannot get from the other side of the network (the remote side) > back to the vyatta net. Is there anything I need to do on the vyatta end > to > allow packets to come on through? > > Thanks guys, > > Dan M > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] IPSec VPN - almost working! Help please...
Hey guys, I was impressed with myself, actually able to get an IPSec tunnel up and running between vyatta and a Netgear router, but I must be missing a final step. The tunnel works just fine, and I made a static route for that subnet and can ping anything on the remote LAN just fine from the vyatta machine. However, I cannot get from the other side of the network (the remote side) back to the vyatta net. Is there anything I need to do on the vyatta end to allow packets to come on through? Thanks guys, Dan M ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
