Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: IPCop and Net-to-Net VPN

IPCop and Net-to-Net VPN 10 years 9 months ago #13206

  • Alexey
  • Alexey's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
Good day, everyone. I've installed IPCop firewalls on 2 separate boxes (both configured GREEN+RED). Created a VPN tunnel between them (status open), but pings from both internal networks to another end do not go.
What am I doing wrong? Where to check?


GREEN - 172.30.1.0
RED - Y.Y.Y.Y
IPCOP
|
|
INTERNET
|
|
IPCOP
RED - X.X.X.X
GREEN - 192.168.100.0
The administrator has disabled public write access.

Re: IPCop and Net-to-Net VPN 10 years 9 months ago #13208

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
You stated that a tunnel was created with a status of "OPEN", but you cannot ping machines behind the IPCOPs.

1. Check that you've entered the correct values for the "Local Subnet" in the VPN setup screen on both IPCOPs.
2. Use the route command to print out your routing table to ensure that the correct routes are in place.
The administrator has disabled public write access.

Routing table 10 years 9 months ago #13216

  • Alexey
  • Alexey's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
Thank you for fast answer. Please find the roting tables from both sides here:

IPCOP 1 (RED IP - X.X.X.212)

192.168.100.0 X.X.X.209 255.255.255.0 UG 0 0 0 ipsec0
172.30.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
0.0.0.0 X.X.X.209 0.0.0.0 UG 0 0 0 eth1

IPCOP 2 (RED IP - Y.Y.Y.108)

192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
82.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
82.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
172.30.1.0 Y.Y.Y.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 Y.Y.Y.1 0.0.0.0 UG 0 0 0 eth1

It seemes to be correct.
The administrator has disabled public write access.

Re: IPCop and Net-to-Net VPN 10 years 9 months ago #13219

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
Sorry, Alexey. I can't quite get my head round the tables due to the missing numbers. Reading routing tables is not one of my strongest points! Would you be able to repost the original network map with all the internal/external IPs and labelled IPCOPs. And then could you print the routing tables without obscured IPs. I understand your not wanting to put in the real IPs, so could you please replace them with fake ones. I want to be sure that you have not left anything out.
Could you also put in any routers in your network path with IPs as well.

On the other hand, if anyone else can make sense of the above tables, please jump in.
The administrator has disabled public write access.

Re: IPCop and Net-to-Net VPN 10 years 9 months ago #13220

  • Alexey
  • Alexey's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
No problem. Here is the real configuration with fake ip's.

IPCOP 1 (RED IP - 53.141.108.212)

53.141.108.209 is an IP of Cisco 1700 router standing between IPCop (53.141.108.212) and the outside world. But it could not be a problem, because it doesnot filter anything at all. There is a second Firewall standing behind it (separate outside IP, of course), and it works ok.
From this side (green network) I can ping 192.168.100.253 (IPCop's 2 green IP), but none inside of the network.
From IPCOP1 itself I cannot ping 192.168.100.253.

192.168.100.0 53.141.108.209 255.255.255.0 UG 0 0 0 ipsec0
172.30.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
53.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
53.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
0.0.0.0 53.141.108.209 0.0.0.0 UG 0 0 0 eth1

IPCOP 2 (RED IP - 92.198.180.108)

THis machine is just lookung to the internet without any routing.
ISP's gateway is 92.198.180.1. From this side i cannot ping 172.30.1.253 (IPCop's 1 green IP) at all. None from IPCop machine, none from green network.

192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
92.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
92.198.180.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
172.30.1.0 92.198.180.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 92.198.180.1 0.0.0.0 UG 0 0 0 eth1


VPN tunnel is not OpenVPN. Just a standard IPCop vpn tunnel with pre-shared key.
The administrator has disabled public write access.

Re: IPCop and Net-to-Net VPN 10 years 9 months ago #13241

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
Strange, the tables appear to be OK. One thing to point out though is that you will not be able to ping remote GREEN networks from the IPCOPs themselves. You will only be able to ping from the GREEN networks. So the the fact that you can't ping from the IPCOPs is not a problem.

You mentioned that you could ping IPCOP2's green IP from IPCOP1's green network. You could not however ping machines in IPCOP2's green network. Have you checked that the machines you're trying to ping don't have personal firewalls enabled (such as in XPSP2)?

This still doesn't explain why you cannot ping IPCOP1's green IP from IPCOP2's green network. You may try a trace route.

Anyway, check out the personal firewalls and let us the results.
The administrator has disabled public write access.
Time to create page: 0.080 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup