1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN with 3 routers (2,5...) - Italian

Discussion in 'Networking Issues' started by erman, Apr 3, 2007.

  1. erman

    erman LI Guru Member

    Hello, sorry for my thread is in Italian.

    First: my english makes crying
    Second: the problem includes a typical italian product, the Pirelli Alice Smart Gate, and this makes crying too... :cry:
    If you are interested and think to have an idea I'll try to tarnslate it for u.

    ------
    Ciao a tutti.

    Ho un problema un tantino impegnativo e vedrò di spiegarlo meglio che posso.

    Possiedo un Linksys BEFSX41, e mi sono convinto ad acquistarlo grazie a questo sito.

    Fin qui tutto bene, dal momento che ho anche un Pirelli Alice business gate al quale mi collego con la porta ethernet alla WAN del Linksys.

    Su quest'ultimo ho settato come gateway l'indirizzo LAN del Pirelli e tutto funziona a meraviglia, ma...

    Ora devo creare una VPN con una rete remota, sulla quale è installato un Netgear DG834, che permette di creare VPN tra due router.
    Ho configurato tutti i parametri sui due router, la connessione VPN ha successo, solo che non riesco in alcun modo a vedere la LAN remota.
    Ho l'impressione che la connessione VPN sia avvenuta tra la LAN remota e la mia WAN , quella per intenderci che collega il Pirelli con la porta WAN del Linksys, e non con la LAN locale.

    Penso di dovere creare una route o in qualche modo indirizzare il traffico VPN alla LAn locale, ma non so da che parte cominciare.

    Il Pirelli ha il NAPT settato solo sull'indirizzo WAN del Linksys, e il 'virtual server' settato sempre per questo indirizzo su tutte le porte tcp e udp.
    Dove sbaglio?

    Grazie a chi vorrà rispondermi.

    Erman
     
  2. ifican

    ifican Network Guru Member

    When you feel like translating we are here to listen.
     
  3. erman

    erman LI Guru Member

    I got a Linksys BEFSX41 and I connected it to a Pirelli Alice Business Gate modem router by means of the wan port. I have created in this manner a WAN composed of two routers, the LinkSys and the Pirelli, and I configured the linksys gateway as the Pirelli WAN address.

    All works great but... I need to create a VPN with a remote router, a Netgear DG834, wich allows to make VPNs with other routers as a client.

    I configured all parameters on both the routers, like this:
    Remote subNET 10.0.0.0/255.255.255.0.
    Local net address 192.168.3.2, wich is the Linksys Wan address (the Pirelli is 192.168.3.1).

    The Local LAN address and subnet is 192.168.0.0/255.255.255.0.

    I can see that the VPN connection is established in both the routers, but I cannot connect to the remote LAN at all.

    What can I do in this situation?

    I hope my post is clear enough, ask me other details if you need.

    Thanks to anybody who will answer me.

    Erman
     
  4. erman

    erman LI Guru Member

    The Pirelli is a very basic gate, it is not a fully featured router, I can only configure NAPT and Virtual server (redirection of some ports, or all, to a specific WAN address, but for TCP and UDP protocols only), but it is necessary to connect to the internet and I cannot replace it.
     
  5. aviegas

    aviegas Network Guru Member

    I do not know the specifics of the Pirelli router, but any NAT based router needs specific support for VPN passthru. VPN "negotiations" uses a protocol called IKE that connects on UDP port 500. UDP NAT is supported by virtually any router. The result is that the VPN tunnel seems to close, but data don't flow. Data flow for IPSec VPN is not based on TCP or UDP, but on a different protocol named ESP. This protocol require special support on a NAT router to work.

    I did a quick search for the specs of the Pirelli router, but the only thing that I could find was that it is an ADSL modem. Information from other Pirelli ADSL modems shows that their technology is pretty standard, so if the "Pirelli Alice Business Gate" does not do it, you can probably get around with a more featured modem.

    Why do you say you can't replace it?
     
  6. erman

    erman LI Guru Member

    This modem works only with a special smart card, where is stored all the data about connection (static IP specially). This is a modem that comes in bundle with the adsl contract I subscribed with my adsl provider.
    The line works also with a standard modem, but I geta dynamic IP and for some reason I have worst performances in navigation speed.
    I think that my problem is the ESP protocol, with my modem the Nat in fact can be setted for TCP and UDP protocols only.
    It is a very big problem for me..
     
  7. ifican

    ifican Network Guru Member

    Is the local lan on the remote side 192.168.0.0 or is that a typo for your lan? Also if the tunnel is connected as you say then ike and esp are passing correctly. How are you verifying that the tunnel is connected?
     
  8. erman

    erman LI Guru Member

    192.168.0.0 is the address of my local LAN
    The remote LAN is 10.0.0.0.
    I can access both routers via web interface and I get the message "connected" in the VPN section of the Linksys (local) and I can see in the remote router log the "IPsec SA established" message.
     
  9. ifican

    ifican Network Guru Member

    Ok where i got confused was the 192.168.3.x address which is the address between your linksys and pirelli device, got it. Look at the route table on the BEF and you should see a route entry for the 10.0.0.0 network. If that shows good, everything else sounds ok so you should be able to connect. How are you attempting to connect or access the remote machines, pinging, traceroute etc? And from which devices, some tunnels wont show connectivity if you attempt to prove it from the router itself but work just fine if initiated from a host behind the router.
     
  10. erman

    erman LI Guru Member

    Well, this is the routing table of the BEF:

    Destination LAN IPSubnet MaskDefault GatewayHop Count Interface
    0.0.0.0 0.0.0.0 192.168.3.1 1 WAN
    192.168.0.0 255.255.255.0 0.0.0.0 1 LAN
    192.168.3.0 255.255.255.252 0.0.0.0 1 WAN

    The first gateway is the addres of the Pirelli.
    Should I explicitly input the 10.0.0.0 address? And if so, wich is the gateway?
    I tryed to add the 10.0.0.0 network entry, with the public address of the remote router as a gateway, but I can't connect yet.
    I test the connection via web browser, I input the remote router LAN address, wich is 10.0.0.1: I should get the web administration interface. I know that this works, becouse I can set up a working VPN with a single PC with a VPN client installed on, connected with a modem instead of the BEF router, and all works fine.

    These are my BEF VPN secure settings, I'm in doubt of the local secure group, that is the BEF wan address; to the other side, if I input my local address 192.168.0.xxx I can't get any VPN connection:

    Local secure group IP Addr. 192.168.3.2
    Remote secure group Subnet 10.0.0.0
    255.255.255.0

    Is it possible that the local LAN is considered the 192.168.3.0 instead of 192.168.0.0, and so the tunnel is established between 10.0.0.0 and 192.168.3.0?
    What to do in this case?
     
  11. ifican

    ifican Network Guru Member

    Ok lets go back to the beginning. I am assuming you are making the vpn connection between the netgear and the linksys. Can you give us the configuration you have on both vpn's, local, remote, identification and security parameters.
     
  12. erman

    erman LI Guru Member

    it's correct.
    I work accross the internet.
    Linksys is in my site and is connected with my LAN
    Netgear is in the remote site.
    Both sites have a public static IP
    The pirelli is only the adsl modem wich allows me to connect to the internet.
     
  13. ifican

    ifican Network Guru Member

    Ok first make sure all of the ports on the pirelli are redirected to the linksys.

    Netgear config
    local 10.0.0.0 255.255.255.0
    remote subnet 192.168.0.0 255.255.255.0
    peer or identification use ip address (static ip of pirelli router)

    linksys config
    local 192.168.0.0 255.255.255.0
    remote subnet 10.0.0.0 255.255.255.0
    peer or identification use ip address (static ip of netgear router)


    Make sure that your security parameters are the same on both sides for instance:

    ike phase 1

    3des/md5
    preshare key
    dh group 2
    lifetime 28800

    ike phase 2

    esp-3des-md5
    dh group 2
    lifetime 3600

    these are just examples no matter what you use they need to be the same on both sides.
     
  14. erman

    erman LI Guru Member

    This example is the most logical, the first settings I tried to set up the VPN.
    But they don't work.

    The configuration that works is this:

    Netgear config
    local subnet 10.0.0.0 255.255.255.0
    remote address 192.168.3.2
    peer or identification use ip address (static ip of pirelli router)

    linksys config
    local address 192.168.3.2
    remote subnet 10.0.0.0 255.255.255.0
    peer or identification use ip address (static ip of netgear router)

    Now: is it correct or I must input my local network address as secure group?

    If it isn't correct why I can establish the tunnel?
     
  15. ifican

    ifican Network Guru Member

    So I can make sure we understand each other let me see if i can find some screenshots for the netgear and linksys router so i can see the exact connection settings. Its very late for me at the moment 2:45am, i am going to get some rest and ill check into this when i get up later today.
     
  16. erman

    erman LI Guru Member

    thanks a lot for your time.
    See you
     
  17. aviegas

    aviegas Network Guru Member

    Try:

    Local secure group: 192.168.0.0/255.255.255.0
    Remote Seucre Group: 10.0.0.0/255.255.255.0

    But are you sure that the remote end is not 10.0.0.0/255.0.0.0.

    With 10.0.0.0/255.255.255.0 you can only try addresses in 10.0.0.1 to 10.0.0.254.

    This will cause you connection not to work if you destination is not covered by the subnet mask.
     
  18. erman

    erman LI Guru Member

    I agree, but I need to access only 10.0.0.1 and 10.0.0.2 on the remote network, so the mask 255.255.255.0 is correct for this purpose..
     
  19. erman

    erman LI Guru Member

    Resolved!

    Ok, guys: all works perfectly!

    Ifican: you're right, if the connection takes place the VPN is completely established. This was the skill that made me persevere in this way.

    But start from the beginning.

    The connection really occurred between the remote LAN and the local WAN. It was impossible in this circumstance to get a connection from my PC, since it is in a different subnet than the WAN.

    If you remember:
    remote LAN: 10.0.0.0
    local WAN: 192.168.3.0
    local LAN: 192.168.0.0

    So the correct secure settings were the those posted in your example:

    Netgear config
    local 10.0.0.1 255.255.255.0
    remote subnet 192.168.0.1 255.255.255.0
    peer or identification use ip address (static ip of pirelli router)

    linksys config
    local 192.168.0.1 255.255.255.0
    remote subnet 10.0.0.1 255.255.255.0
    peer or identification use ip address (static ip of netgear router)

    The real issue consists in the Linksys authentication mode (here I'm speaking about IKE mode...), in fact the BEFSX41 sends, in any case, his WAN IP address as his identifier to the remote endpoint.

    So, if the remote endpoint can't accept this address as identifier, the connection can't take place.

    I decided to abandon the IKE mode and I set manual settings for both VPN endpoints and all works great.

    So the Pirelli can really works with VPNs, and it is perfectly transparent to VPN protocols.

    THANKS again, ifican and aviegas, for your posts that helped me to find the solution.

    Erman
     
  20. ifican

    ifican Network Guru Member

    I am sure i can speak for both of us as neither of us would be here if we didnt want to help. Glad all is working well you.
     

Share This Page