I have setup an IPSEC VPN conection with the following parameters:
conn LK3
type=tunnel
authby=secret
auto=start
left=190.111.xxx.xxx
leftsubnet=192.168.x.x/24
right=66.179.xxx.xxx
rightsubnets={172.16.x.x/12,10.0.x.x/8}
salifetime=24h
ikelifetime=8h
ike=aes256-sha1;modp1024
phase2alg=aes256-sha1;modp1536
leftnexthop=190.111.x.y
leftsourceip=192.168.x.y
dpdaction=hold
dpdtimeout=120
dpddelay=30
compress=no
pfs=yes
rekey=yes
aggrmode=no
Tunnel is ok we have phase 2 and we can ping to their ip using the following firewall iptables rules:
$IPTABLES -t nat -I POSTROUTING -s 192.168.x.x/24 -d 10.0.x.x/8 -j ACCEPT # nonat1
$IPTABLES -t nat -I POSTROUTING -s 192.168.x.x/24 -d 172.16.x.x/12 -j ACCEPT # nonat2
$IPTABLES -A OUTPUT -d 172.16.x.x/12 -j ACCEPT # permitir salientes 172.16.x.x
$IPTABLES -A INPUT -s 172.16.x.x/12 -j ACCEPT # permitir ingreso 172.16.x.x
$IPTABLES -A INPUT -s 10.0.x.x/8 -j ACCEPT # permitir ingreso 10.0.x.x
$IPTABLES -A OUTPUT -d 10.0.x.x/8 -j ACCEPT # permitir salientes 10.0.x.x
$IPTABLES -A OUTPUT -d 66.179.xxx.xxx -j ACCEPT # permitir salida LK
$IPTABLES -A INPUT -s 66.179.xxx.xxx -j ACCEPT # Permitir Ingreso LK
THE PROBLEM is that they cannot see our LAN IPs, they can ping the firewall LAN but nothing inside the LAN.
Thanks for your help.
regards,
conn LK3
type=tunnel
authby=secret
auto=start
left=190.111.xxx.xxx
leftsubnet=192.168.x.x/24
right=66.179.xxx.xxx
rightsubnets={172.16.x.x/12,10.0.x.x/8}
salifetime=24h
ikelifetime=8h
ike=aes256-sha1;modp1024
phase2alg=aes256-sha1;modp1536
leftnexthop=190.111.x.y
leftsourceip=192.168.x.y
dpdaction=hold
dpdtimeout=120
dpddelay=30
compress=no
pfs=yes
rekey=yes
aggrmode=no
Tunnel is ok we have phase 2 and we can ping to their ip using the following firewall iptables rules:
$IPTABLES -t nat -I POSTROUTING -s 192.168.x.x/24 -d 10.0.x.x/8 -j ACCEPT # nonat1
$IPTABLES -t nat -I POSTROUTING -s 192.168.x.x/24 -d 172.16.x.x/12 -j ACCEPT # nonat2
$IPTABLES -A OUTPUT -d 172.16.x.x/12 -j ACCEPT # permitir salientes 172.16.x.x
$IPTABLES -A INPUT -s 172.16.x.x/12 -j ACCEPT # permitir ingreso 172.16.x.x
$IPTABLES -A INPUT -s 10.0.x.x/8 -j ACCEPT # permitir ingreso 10.0.x.x
$IPTABLES -A OUTPUT -d 10.0.x.x/8 -j ACCEPT # permitir salientes 10.0.x.x
$IPTABLES -A OUTPUT -d 66.179.xxx.xxx -j ACCEPT # permitir salida LK
$IPTABLES -A INPUT -s 66.179.xxx.xxx -j ACCEPT # Permitir Ingreso LK
THE PROBLEM is that they cannot see our LAN IPs, they can ping the firewall LAN but nothing inside the LAN.
Thanks for your help.
regards,
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »