[isalist] Re: Vpn routing problem (URGENT)

  • From: "Daniel" <daniel@xxxxxxxxxxxxxxxx>
  • To: "Egyptian Mind" <innocent_angel_eng@xxxxxxxxxxx>
  • Date: Mon, 3 Jul 2006 09:20:25 -0300

http://www.ISAserver.org
-------------------------------------------------------
On my partners (remote vpn sites) that have linux boxes, the problem is related with iptables (linux builtin kernel firewall) and ip_forward. The linux gateway just don't forward the packets, it need rules to allow this traffic and probably ip_forward enabled.


thanks for helps!


----- Original Message ----- From: "Egyptian Mind" <innocent_angel_eng@xxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Cc: <daniel@xxxxxxxxxxxxxxxx>
Sent: Saturday, July 01, 2006 7:50 AM
Subject: RE: [isalist] Vpn routing problem (URGENT)




simply, as a temperoray solution, you can make an *.bat file and write the local route in it, and assign a group policy to run this file as startup to all hosts in the remote offices..


this will help you till we find out what is the appropiate solution






Best Regards Mohamed Saleh Senior Network Administrator College of Business Administration, CBA Jeddah, Saudi Arabia Tel: +966-02-6563199 ext 2521 Cell: - +966-50-2953591


!~` Yesterday is a History` ~! !~` Tomorrow is a Mystery` ~! !~` Today is a Gift` ~! !~` So we call it ...............` ~! !~` Present .......Simple` ~!



------------------------------------------------------------------------------
From: "Daniel" <daniel@xxxxxxxxxxxxxxxx>
Reply-To: isalist@xxxxxxxxxxxxx
To: "ISAServerList" <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Vpn routing problem (URGENT)
Date: Wed, 28 Jun 2006 10:53:11 -0300
>http://www.ISAserver.org
>-------------------------------------------------------
>
>I have a vpn gateway to gateway between a ISA server/w2k (headquarter) and a RRAS/w2k (branch1), my rouing
>don't work. It's a very basic routing plan. I have five cases with the same problem.
>
>Resuming:
>
>---headquarter (ISA server/w2k)
>internal-iface=192.168.15.1 mask=/24, external-iface=x.x.x.x (public ip)
>. demand dial vpn iface= "dd-to-remote1", persistent, destination= (y.y.y.y see below), fix-ip=192.168.0.97
> (flag initiate connection when traffic accross ENABLED)
>. static route 192.168.0.0/24 trough iface "dd-to-remote1"
>. headquarter LAN default gateway is the ISA (192.168.15.1)
>
>---remote-site-1 (MS RRAS/w2k)
>internal iface: 192.168.0.98 mask=/24, external-iface=y.y.y.y (public ip referenced above)
>. demand dial iface="dd-headquarter", persistent, destination=BLANK (should no initiate connections)
>fix-ip=192.168.15.20
>. static route 192.168.15.0/24 trough iface "dd-headquarter"
> (flag initiate connection when traffic accross DISABLED)
>. default LAN gateway is a cisco router (192.168.0.1)
>. on the cisco I have this route: destination=192.168.15.0 mask=24 gateway=192.168.0.98 (the RRAS
>internal-iface)
>
>I have no filters, but routing don't work.
>On ISA and on the RRAS console I can ping the other end subnet (is cause they have logical interfaces in each
>end), but from LAN machines I can not.
>
>Tracing from a "headquarter" LAN machine(192.168.0.15.6) to a remote-site-1 LAN machine (192.168.0.5)
>c:>tracert -d 192.168.0.5
>192.168.15.1 (ISA int iface)
>192.168.0.97 (dd-to-remote1 iface)
>* * *
>* * *
>* * *
>
>Tracing from a "remote-site-1" LAN machine(192.168.0.8) to a "headquarter" LAN machine (192.168.15.11)
>c:>tracert -d 192.168.15.11
>192.168.0.1 (default LAN gateway cisco router)
>* * *
>20.x.x.x (than try cisco default gateway the internet)
>* * *
>* * *
>* * *
>Seems the RRAS is rejecting packets from cisco router.
>
>Follow the last example, tracing from 192.168.0.8 to 192.168.15.11, but puting a local route entry on
>192.168.0.8,
>the same route that the cisco default gateway has, than it work fine.
>c:> route add 192.168.0.15 mask 255.255.255.0 192.168.0.98
>c:>tracert -d 192.168.15.11
>192.168.0.98 (RRAS LAN iface)
>192.168.0.97 (dd-headquarter iface)
>192.168.15.11 (headquartee LAN machine)
>trace completed!
>
>I have five gw-to-gw vpns on my headquarter ISA server, all the remote VPN sites have the same problem. In
>remote sites the LAN default gateway is another router (cisco, linux, ...) not the remote RRAS server, but put
>a route to the headquarter subnet trough the RRAS don't work. I know that it's very basic in TCP/IP, but In
>need to put route entries on the some LAN machines to work!
>
>Anyone can see a mistake in my routing plan?
>
>
>Daniel Müller
>Microsoft Certified Systems Engineer [MCSE + Security]
>Linux Professional Institute Certified Level 2 [LPIC-2]
>Master in Computer Science (network security area)
>Softplan Sistems
>Florianópolis, Brazil
>
>------------------------------------------------------
>List Archives: http://www.freelists.org/archives/isalist/
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
>ISA Server Blogs: http://blogs.isaserver.org/
>------------------------------------------------------
>Visit TechGenix.com for more information about our other sites:
>http://www.techgenix.com
>------------------------------------------------------
>To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>Report abuse to listadmin@xxxxxxxxxxxxx
>



------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com ------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: