[vpn-help] IPSec VPN to NetASQ not working when client inside same network class.

Jochen Boutens jochen.boutens at finalbeta.net
Mon Dec 31 11:21:08 CST 2012 

I'll create a test setup and report back. I'm running v8.

 

Met vriendelijke groeten,

 

Boutens Jochen
Email: Jochen.Boutens at Finalbeta.net

 

 

From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La
Goutte
Sent: maandag 31 december 2012 14:51
To: Jochen Boutens
Cc: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] IPSec VPN to NetASQ not working when client inside
same network class.

 

 

On Mon, Dec 31, 2012 at 1:35 PM, Jochen Boutens
<jochen.boutens at finalbeta.net> wrote:

Hello,

 

You are absolutely right, the problem is a route that I cannot remove. I
forgot it was in place. 
The NetASQ guide makes the client use it's own IP address. Is a setup
possible in combination with NetASQ where an extra virtual adaptor is used
in the client?

Hi Jochen

You need to try...
You use V8 or V9 Firmware ?

Regards,
 

 

Met vriendelijke groeten,

 

Boutens Jochen
Email:  <mailto:Jochen.Boutens at Finalbeta.net> Jochen.Boutens at Finalbeta.net

 

 

From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La
Goutte
Sent: maandag 31 december 2012 10:57
To: Jochen Boutens


Cc: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] IPSec VPN to NetASQ not working when client inside
same network class.

 

 

On Mon, Dec 31, 2012 at 9:58 AM, Jochen Boutens
<jochen.boutens at finalbeta.net> wrote:

Hello, 

 

(Some items have been changed, mail addresses, server address, subnets have
been changed to another subnet in the same class)

 

VPN Client config export:

 

n:version:4

n:network-ike-port:500

n:network-mtu-size:1380

n:client-addr-auto:1

n:network-natt-port:4500

n:network-natt-rate:15

n:network-frag-size:540

n:network-dpd-enable:1

n:client-banner-enable:0

n:network-notify-enable:1

n:client-dns-used:1

n:client-dns-auto:0

n:client-dns-suffix-auto:0

n:client-splitdns-used:1

n:client-splitdns-auto:0

n:client-wins-used:0

n:client-wins-auto:0

n:phase1-dhgroup:2

n:phase1-keylen:128

n:phase1-life-secs:21600

n:phase1-life-kbytes:0

n:vendor-chkpt-enable:0

n:phase2-keylen:128

n:phase2-life-secs:3600

n:phase2-life-kbytes:0

n:policy-nailed:0

n:policy-list-auto:0

s:network-host:vpn.fake.com

s:client-auto-mode:disabled

s:client-iface:direct

s:network-natt-mode:enable

s:network-frag-mode:enable

s:client-dns-addr:10.10.68.5

s:client-dns-suffix:fake.com

s:auth-method:mutual-psk

s:ident-client-type:ufqdn

s:ident-server-type:ufqdn

s:ident-client-data:fake at fake.com
<mailto:s%3Aident-client-data%3Afake at fake.com> 

s:ident-server-data:vpnfake at fake.com
<mailto:s%3Aident-server-data%3Avpnfake at fake.com> 

b:auth-mutual-psk:CompletelyFakeKey

s:phase1-exchange:aggressive

s:phase1-cipher:aes

s:phase1-hash:sha1

s:phase2-transform:esp-aes

s:phase2-hmac:sha1

s:ipcomp-transform:disabled

n:phase2-pfsgroup:2

s:policy-level:unique

s:policy-list-include:10.10.68.0 / 255.255.255.0

 

Ifconfig on the device:

>ifconfig

em0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC>
mtu 1504

options=5b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING>

ether 00:0d:b4:09:27:db

media: Ethernet autoselect (1000baseTX <full-duplex>)

status: active

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 1500

inet 127.0.0.1 netmask 0xffffff00 

lo1: flags=8009<UP,LOOPBACK,MULTICAST> mtu 1500

lo2: flags=8009<UP,LOOPBACK,MULTICAST> mtu 1500

lo3: flags=8009<UP,LOOPBACK,MULTICAST> mtu 1500

lo4: flags=8009<UP,LOOPBACK,MULTICAST> mtu 1500

lo5: flags=8009<UP,LOOPBACK,MULTICAST> mtu 1500

enc0: flags=41<UP,RUNNING> mtu 1536

eth0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=8<VLAN_MTU>

inet 91.*.*.* netmask 0xffffffe0 broadcast 91.*.*.*

ether 00:0d:b4:09:29:1c

media: Ethernet autoselect (100baseTX <full-duplex>)

status: active

eth1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=8<VLAN_MTU>

ether 00:0d:b4:09:29:1c

media: Ethernet autoselect

eth2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=8<VLAN_MTU>

inet 10.10.68.254 netmask 0xffffff00 broadcast 10.10.68.255

inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255

inet 10.10.61.254 netmask 0xffffff00 broadcast 10.10.61.255

inet 10.10.62.254 netmask 0xffffff00 broadcast 10.10.62.255

ether 00:0d:b4:09:29:1e

media: Ethernet autoselect (1000baseTX <full-duplex>)

status: active

eth3: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=8<VLAN_MTU>

ether 00:0d:b4:09:29:1f

media: Ethernet autoselect

eth4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=8<VLAN_MTU>

inet 192.168.231.2 netmask 0xfffffffc broadcast 192.168.231.3

ether 00:0d:b4:09:27:e0

media: Ethernet autoselect (1000baseTX <full-duplex>)

status: active

eth5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=8<VLAN_MTU>

inet 192.168.231.6 netmask 0xfffffffc broadcast 192.168.231.7

ether 00:0d:b4:09:27:e1

media: Ethernet autoselect (1000baseTX <full-duplex>)

status: active

 

Met vriendelijke groeten,

 

Boutens Jochen
Email: Jochen.Boutens at Finalbeta.net

 

Hi Jochen,
Thanks for information.
No static route in your VPN Gateway ? (to any 10.x.x network ?)
It is possible to add also VPN Logs ? (from your VPN Gateway)

 

 

From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La
Goutte
Sent: zondag 30 december 2012 18:07
To: Jochen.Boutens at finalbeta.net
Cc: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] IPSec VPN to NetASQ not working when client inside
same network class.

 

Hi Jochen,

It is possible to attach your configuration ?
How to your VPN Gateway is configured ? (it is possible to attach a ifinfo
?)

Regards,

On Fri, Dec 28, 2012 at 8:12 AM, Finalbeta <finalbeta at gmail.com> wrote:

Hello list,

 

I'm facing a problem with the VPN client  (I think it is the client part)
when my client is inside the same network class. 

My tested clients are windows 7 or 8.

My company subnet is 10.10.5.0/24 and 10.10.6.0/24

My clients have no problem when they are inside a class B or C subnet. (So
clients connecting from 172.16.* or 192.168.* have no problem connecting)

The same clients connecting from a local 10.10.*/24 can set up the ipsec
tunnel to the company, but it times out. I can get no traffic across it.
After several seconds the client gets disconnected. 

 

I'm using the netasq guide from the wiki. I've configured the remote
networks manually inside the configuration and I am using the local IP
address on the client. 

 

Thank you

Jochen (finalbeta at gmail.com)

 


_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20121231/9cea1045/attachment-0002.html>

More information about the vpn-help mailing list