Dan are you sure that the netgear isn't filtering (firewall) traffic? Pings work from the netgear network to vyatta, meaning it's leaving the netgear network traversing the tunnel hitting the destination and then returning to the netgear network. So bi-directional traffic is working just fine. What does tcpdump or tshark show you?
Dan Murray wrote: > Hey Robyn, > > Yeah, I guess I didn't give you the whole story. The vyatta "machine" > is your VMWare image, which is behind a $50 firewall router. So the > 0.0.0.0/0 <http://0.0.0.0/0> static route to 10.0.2.1 > <http://10.0.2.1> is to go through that router before hitting the > internet. The VMware box is in the DMZ, so it seems like it should be > ok that way. But of course this complicates things in that everything > is going through eth0. Probably not the best way to do it but really > my only choice since it's not on dedicated hardware. > > I am confused as to why you have the vyatta and netgear both on the > same private subnet over the internet - shouldn't these be public > internet addresses in this case? That is the scenario. > > And to answer your question about the tunnel, traffic is definitely > going both ways. Doing a show sa stats does in fact prove this - I see > bytes both in and out. So I'm lead to believe that the tunnel itself > is just fine, and maybe even the vyatta machine is fine and for some > reason the netgear isn't routing over the tunnel. Maybe my static > route is screwed up? > > Anyway, beyond that I probably can't follow - I'm not too savvy about > routing. But like I said it definitely works one way. I can even pull > up web pages hosted on the remote network (.0.0) on the local network > (.2.0) with no problems whatsoever. Just can't do the same from the > remote network back. Confusing indeed. > > Thanks again for the help. > > Dan > > On 10/22/07, *Robyn Orosz* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Hi Dan, > > I'm not sure how you are able to ping the devices behind the > Netgear but it's most likely not via the VPN tunnel. If traffic > is only passing one-way on a tunnel you normally wouldn't see the > return packets from your pings. If you run a 'show vpn ipsec sa > statistics' on the Vyatta router, I'm thinking you'll see 0 bytes > in and out but let me know. > > Normally a VPN network to network tunnel will look something like--> > > > Internet > Vyatta eth1 Vyatta eth0 > ----------------------------- Netgear WAN > Netgear LAN > 10.0.2.0/24 <http://10.0.2.0/24> 10.0.1.1/24 > <http://10.0.0.0/24> > 10.0.1.2/24 <http://10.0.2.0/24> > 10.0.0.0/24 <http://10.0.0.0/24> > | > > > | > > > ---------------------------------------------------------------------------------------------- > > > VPN > > It's a bit odd to have the local subnet and the peering address on > the same network. I'm thinking this in itself will probably > prevent you from passing traffic over the tunnel because if you're > directly connected to another device with the 10.0.2.0/24 > <http://10.0.2.0/24> network, it will ARP for devices with an > address of 10.0.2.x rather than forward their packets to the > Vyatta router. > > Also, your routers don't need a static route for the VPN tunnel > networks as the VPN tunnel serves as a connected route to the > network on the other side of the tunnel on each router. > > Is this a lab setup where both routers are hooked up via a switch > of some sort or is this VPN connection over the internet? It > looks like you have at least one other device between the Netgear > and the Vyatta router? > > Thank you, > > Robyn > > > Dan Murray wrote: >> Hi Robyn, >> >> Thanks for the clarification, its a big help. Here's my setup: >> >> Vyatta --------------------------------------- >> Netgear >> 10.0.2.0/24 <http://10.0.2.0/24> >> VPN 10.0.0.0/24 <http://10.0.0.0/24> >> >> I can ping anything on the Netgear network from the vyatta box. I >> cannot ping to the vyatta network from the netgear box. I have >> created a static route on the netgear for 10.0.2.0/24 >> <http://10.0.2.0/24> to use gateway 10.0.2.2 <http://10.0.2.2> >> (the vyatta IP). >> >> Here's my config: >> >> protocols { >> static { >> disable: false >> route 0.0.0.0/0 <http://0.0.0.0/0> { >> next-hop: 10.0.2.1 <http://10.0.2.1> >> metric: 1 >> } >> route 10.0.0.0/24 <http://10.0.0.0/24> { >> next-hop: 10.0.0.1 <http://10.0.0.1> >> metric: 1 >> } >> } >> } >> policy { >> } >> interfaces { >> restore: false >> loopback lo { >> description: "" >> } >> ethernet eth0 { >> disable: false >> discard: false >> description: "" >> hw-id: 00:0C:29:F5:B5:2F >> duplex: "auto" >> speed: "auto" >> address 10.0.2.2 <http://10.0.2.2> { >> prefix-length: 24 >> disable: false >> } >> } >> ethernet eth1 { >> disable: false >> discard: false >> description: "" >> hw-id: 00:0C:29:F5:B5:39 >> duplex: "auto" >> speed: "auto" >> } >> ethernet eth2 { >> disable: false >> discard: false >> description: "" >> hw-id: 00:0C:29:F5:B5:43 >> duplex: "auto" >> speed: "auto" >> } >> } >> service { >> http { >> port: 80 >> } >> } >> firewall { >> log-martians: "enable" >> send-redirects: "disable" >> receive-redirects: "disable" >> ip-src-route: "disable" >> broadcast-ping: "disable" >> syn-cookies: "enable" >> } >> system { >> host-name: "vyatta" >> domain-name: "" >> time-zone: "GMT" >> ntp-server "69.59.150.135 <http://69.59.150.135>" >> login { >> user root { >> full-name: "" >> authentication { >> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh." >> } >> } >> user vyatta { >> full-name: "" >> authentication { >> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh." >> } >> } >> } >> package { >> auto-sync: 1 >> repository community { >> component: "main" >> url: " http://archive.vyatta.com/vyatta"; >> } >> } >> } >> vpn { >> ipsec { >> ipsec-interfaces { >> interface eth0 >> } >> copy-tos: "disable" >> ike-group "ike-1" { >> proposal 1 { >> encryption: "aes128" >> hash: "sha1" >> } >> lifetime: 28800 >> aggressive-mode: "disable" >> } >> esp-group "esp-1" { >> proposal 1 { >> encryption: "aes128" >> hash: "sha1" >> } >> mode: "tunnel" >> lifetime: 28800 >> pfs: "enable" >> compression: "disable" >> } >> site-to-site { >> peer *netgear IP here* { >> authentication { >> mode: "pre-shared-secret" >> pre-shared-secret: "SECRET IS HERE" >> } >> ike-group: "ike-1" >> local-ip: 10.0.2.2 <http://10.0.2.2> >> tunnel 1 { >> local-subnet: 10.0.2.0/24 >> <http://10.0.2.0/24> >> remote-subnet: 10.0.0.0/24 >> <http://10.0.0.0/24> >> allow-nat-networks: "disable" >> allow-public-networks: "disable" >> esp-group: "esp-1" >> } >> } >> } >> } >> } >> rtrmgr { >> config-directory: "/opt/vyatta/etc/config" >> } >> >> >> Any ideas? The netgear side does have a NAT. I guess the vyatta >> side does too. >> >> Thanks in advance... >> >> Dan >> >> >> On 10/22/07, * Robyn Orosz* <[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>> wrote: >> >> Hi Dan, >> >> It's not clear to me which end can ping what from your >> original message >> but here's a few ideas...if your only purpose for creating a >> firewall on >> the Vyatta router was to allow packets to flow through the >> VPN tunnel, >> you don't need it. You should delete the firewall or remove >> it from the >> interface until you get traffic passing as the firewall may >> make this >> issue more difficult to pinpoint. >> >> The Vyatta router allows all packets through by >> default. There is no >> firewall unless you explicitly configure one. >> >> Are you using NAT on either device? Because NAT has the >> potential to >> cause problems when passing traffic over a tunnel. All >> packets must >> match the left and right subnets in order to enter the VPN >> tunnel. If >> they are modified in any way by some sort of NAT rule, they >> won't be >> allowed to enter the tunnel. So, if you're NAT'ing on the >> Netgear >> you'll need to find a way to exclude VPN packets from being >> NAT'ted. If >> you're NAT'ing on the Vyatta router, you'll need to do the same. >> >> If it doesn't appear to be a NAT issue, you may want to post your >> configs so we can make sure everything looks correct otherwise. >> >> Thanks! >> >> Robyn >> >> Dan Murray wrote: >> > Yes, both tunnels are up. I doubt the tunnels are the >> problem. As I >> > said I can use the tunnel just fine one way (pings go through to >> > remote hosts and everything). However coming back toward the >> vyatta >> > net nothing gets through. >> > >> > I'll look into logging. I still feel like I'm missing a step >> on the >> > vyatta side. Normally with a cisco, after making the route >> I'd have to >> > make a policy to allow packets to that net, but I thought I >> did that >> > already with the firewall command. Maybe there's something >> else I'm >> > missing, routing maybe? >> > >> > Here's another question - the tunnel is on eth0. When I >> allow the >> > packets, I'm allowing them from eth0 to the local net - >> which doesn't >> > seem right but I don't know how else to do it. Is there >> another way to >> > refer to the tunnel when I'm specifying a network-to-network >> policy? I >> > can't imagine it is included in the adapter it goes over. >> > >> > Thanks, >> > Dan >> > >> > On 10/21/07, *Justin Fletcher* <[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> wrote: >> > >> > Do you have both the IKE and IPsec tunnels up? >> > >> > You can also turn on detailed debug logging in the VPN >> configuration; >> > that'll give >> > you directions to look. >> > >> > Best, >> > Justin >> > >> > On 10/21/07, Dan Murray < [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> > <mailto:[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>>> wrote: >> > > Not sure - I don't know enough about vyatta to know. I >> tried >> > making a >> > > firewall rule that allowed that source network to the >> local >> > destination >> > > network but it didn't seem to help. Any other ideas? >> > > >> > > Thanks, >> > > Dan >> > > >> > > >> > > On 10/21/07, David Nalley < [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> > <mailto:[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>> > wrote: >> > > > >> > > > >> > > > >> > > > Hey Dan, >> > > > >> > > > Just a thought, is it a firewall issue? >> > > > >> > > > >> > > > >> > > > -----Original Message----- >> > > > From: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> > <mailto:[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> > on behalf >> > > of Dan Murray >> > > > Sent: Sun 10/21/2007 6:21 PM >> > > > To: vyatta-users@mailman.vyatta.com >> <mailto:vyatta-users@mailman.vyatta.com> >> > <mailto: vyatta-users@mailman.vyatta.com >> <mailto:vyatta-users@mailman.vyatta.com>> >> > > > Subject: [Vyatta-users] IPSec VPN - almost working! >> Help please... >> > > > >> > > > Hey guys, >> > > > >> > > > I was impressed with myself, actually able to get an >> IPSec >> > tunnel up and >> > > > running between vyatta and a Netgear router, but I >> must be >> > missing a final >> > > > step. The tunnel works just fine, and I made a >> static route >> > for that >> > > subnet >> > > > and can ping anything on the remote LAN just fine >> from the >> > vyatta machine. >> > > > However, I cannot get from the other side of the >> network (the >> > remote side) >> > > > back to the vyatta net. Is there anything I need to >> do on the >> > vyatta end >> > > to >> > > > allow packets to come on through? >> > > > >> > > > Thanks guys, >> > > > >> > > > Dan M >> > > > >> > > > >> > > > >> > > > >> > > >> > > >> > > _______________________________________________ >> > > Vyatta-users mailing list >> > > Vyatta-users@mailman.vyatta.com >> <mailto:Vyatta-users@mailman.vyatta.com> >> > <mailto:Vyatta-users@mailman.vyatta.com >> <mailto:Vyatta-users@mailman.vyatta.com>> >> > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> > <http://mailman.vyatta.com/mailman/listinfo/vyatta-users> >> > > >> > > >> > >> > >> > >> ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Vyatta-users mailing list >> > Vyatta-users@mailman.vyatta.com >> <mailto:Vyatta-users@mailman.vyatta.com> >> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> > >> >> > > ------------------------------------------------------------------------ > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
