You are on page 1of 4

Zentyal server

I need help

Stay tuned

Contribute

More
Home

user

password

Forever

Login

Register

Login

Please login or register.

Professional support

Certified training

Become a partner

Zentyal Support Forum Zentyal Server Installation and C onfiguration IPSEC between Zentyal and Sonicwall not working
previous next
Pages: 1 [2]

Author
rahul_dhakan
Zen Apprentice

Posts: 12
Karma: +0/-0

P RI N T

Topic: IPSEC between Zentyal and Sonicwall not working (Read 905 times)
Re: IPSEC between Zentyal and Sonicwall not
working
Reply #15 on: October 17, 2013, 08:50:38 am
Quote from: rahul_dhakan on October 16, 2013, 09:25:47 am

Fire wall rule s configure d from GUI on Ze ntyal:


inte rnal ne twork s to Ze ntyal -> Allow Any Any
inte rnal ne twork s -> Allow Any Any
e x te rnal ne twork s to Ze ntyal -> Allow Any IPSEC
Traffic com ing out from Ze ntyal -> Allow Any Any

Do I need to allow anything more from external to internal?


Logged

jbahillo
Zentyal Staff
Zen Hero
Posts: 820
Karma: +52/-0

rahul_dhakan
Zen Apprentice
Posts: 12
Karma: +0/-0

christian
Guest

Re: IPSEC between Zentyal and Sonicwall not


working
Reply #16 on: October 17, 2013, 09:16:39 am

Are you sure that both Zentyal and Sonicwall have Public IP addresses?. Zentyal IPSEC module does not support at
this moment NATted tunnels for IPSEC.
Logged

Re: IPSEC between Zentyal and Sonicwall not


working
Reply #17 on: October 17, 2013, 11:31:50 am

Yup both Zentyal and sonicwall have public ip address and I can see tunnel up in at both the side.
Logged

Re: IPSEC between Zentyal and Sonicwall not


working
Reply #18 on: October 17, 2013, 12:59:02 pm

what is not clear to me is the current status.


You have added FW rules and show new log capture where there is no more dropped packets except ICMP (BTW do
you accept ICMP ?) and remote desktop.
Does it mean that is works for other protocols now ?
Logged

rahul_dhakan
Zen Apprentice
Posts: 12
Karma: +0/-0

Re: IPSEC between Zentyal and Sonicwall not


working
Reply #19 on: October 17, 2013, 01:25:01 pm

Current status is same as previous. It does not allow any protocol however I have allowed Any Any so it should
allow TCP/ICMP any but it doesn't. I show you ICMP and remote desktop only as I was testing only for them.
Logged

christian
Guest

Re: IPSEC between Zentyal and Sonicwall not


working
Reply #20 on: October 17, 2013, 01:43:59 pm

Looking at some screen copy in documentation, it looks like there is no place for rules applied to "internet to

intranet"
Is there something I missed or do you confirm 3.x interface is built this way ?
Logged

Re: IPSEC between Zentyal and Sonicwall not


working

rahul_dhakan
Zen Apprentice

Posts: 12
Karma: +0/-0

Reply #21 on: October 18, 2013, 06:49:28 am

We can apply manual rules by putting iptables rules in /etc/zentyal/hooks/firewall.postservice and I added rules
accordingly but it does not work. I have called bye to Zentyal for now and configured PfSense yesterday with same
rule to Sonicwall and it works perfectly. I appreciate your help and response.
Logged

Re: IPSEC between Zentyal and Sonicwall not


working

ugly_joe
Zen Apprentice

Posts: 2
Karma: +0/-0

Reply #22 on: October 21, 2013, 11:22:10 am

i have exactly same problem. Its pfsense on other side, so its zentyal firewall/routing bug.
Logged

Re: IPSEC between Zentyal and Sonicwall not


working

vargax
Zen Apprentice
Posts: 5
Karma: +1/-0

Reply #23 on: January 14, 2014, 10:10:34 pm

Hi,
After a lot of searching and debugging I could setup the IPSec LAN to LAN VPN in Zentyal 3.3. You have to create a
Firewall postservice script in /etc/zentyal/hooks allowing incoming connections from the remote subnet:
Code: [Se le ct]
cd /etc/zentyal/hooks
cp template.postservice firewall.postservice
nano firewall.postservice

At the end of the file, before exit 0 add "iptables -A ffwdrules -s <remote_subnet> -j ACCEPT" for example:
Code: [Se le ct]
# Hook scripts need to be executable by root (note that examples are not).
iptables -A ffwdrules -s 192.168.9.0/24 -j ACCEPT
iptables -A ffwdrules -s 192.168.10.0/24 -j ACCEPT
iptables -A ffwdrules -s 192.168.12.0/24 -j ACCEPT
exit 0

In my case the local subnet is 192.168.11.0/24 and I have 3 remote subnets: 192.168.9.0/24 192.168.10.0/24
192.168.12.0/24, so I have 3 IPsec LAN to LAN tunnels.
References:
http://wiki.openwrt.org/doc/howto/netfilter
http://trac.zentyal.org/ticket/7881

Logged

allan
Zen Apprentice
Posts: 1
Karma: +0/-0

vargax
Zen Apprentice

Posts: 5
Karma: +1/-0

Re: IPSEC between Zentyal and Sonicwall not


working
Reply #24 on: January 23, 2014, 06:25:10 am

Thank you Vargax, we've been having the exact same issue and your solution worked perfectly!
Logged

Re: IPSEC between Zentyal and Sonicwall not


working
Reply #25 on: February 20, 2014, 11:16:43 pm

Actually I found a better solution, making it to work like in Zentyal 2.0...


You have to ssh to the server, then:
Code: [Se le ct]
sudo su
nano /etc/zentyal/firewall.conf

Look for the last lines and uncomment it:


Code: [Se le ct]

# Uncomment the following to show the from External to Internal section


show_ext_to_int_rules = yes
# Uncomment the following to show the Rules added by Zentyal services
show_service_rules = yes

Now in the firewall module you would find two new sections (you may be need to reboot your server):
- From external to internal networks
- Zentyal services
In the External to Internal networks you can create rules to allow traffic between IPsec subnets:

Just create a new Network Object for your subnets:

And then create a new rule in External to Internal Networks allowing traffic from subnets to subnets:

You will note that now you can access hosts in the subnets but you can not access the servers through its private
IPs:
- Server
- Server
- Server
- Server

A
B
A
B

can
can
can
can

not
not
not
not

access
access
access
access

hosts in
hosts in
services
services

subnet B
subnet A
in Server B through B's private ip
in Server A through A's private ip

To solve this you have to edit /etc/ipsec.conf and add the proper leftsourceip and rightsourceip parameters in each
connection:
Code: [Se le ct]
# VPN: l222 (ipsec): 11.11.11.11 <=> 10.10.10.10
conn l222
left=11.11.11.11
right=10.10.10.10
rekey=yes
keyingtries=0
leftsubnet=192.168.11.0/24
leftsourceip=192.168.11.1 # !!!!!!!!!!!!!!!!!!!
rightsubnet=192.168.10.0/24
rightsourceip=192.168.10.1 # !!!!!!!!!!!!!!!!!!!
pfs=yes
auth=esp
keyexchange=ike
ike=3des-md5
ikelifetime=28800s
esp=3des-md5;modp1024
keylife=3600s
authby=secret

After this a
you
need to restart the ipsec service:
uto=start
Code:
[Se
le
ct]
# VPN
:h
ay
uelo (ipsec): 11.11.11.11 <=> 9.9.9.9
c
so
en
rn
vih
ca
eyu
ie
pl
so
ec restart
left=11.11.11.11
right=9.9.9.9

Unfortunately
this
rekey=
yes changes are lost when you reboot the server or add a new IPsec connection... Right now my
solution iske
to
yin
have
gtries
a=0
copy of the ipsec.conf file and restore it after each reboot...
leftsubnet=192.168.11.0/24
left
sourceip=192.168.11.1 # !!!!!!!!!!!!!!!!!!!
After adjust
ipsec.conf:
rightsubnet=192.168.9.0/24
rightsourceip=192.198.9.1 # !!!!!!!!!!!!!!!!!!!
Code: [Se le ct]
pfs=yes
cp /etc/i
ap
us
te
hc
=.
ec
so
pnf /root/ipsec.conf
nano /etc
k/
ez
ye
en
xt
cy
ha
al
n/
gh
eo
=o
ik
ks
e/ipsec.postsetconf
ike=3des-md5
ikelifetime=28800s

And put inside:

esp=3des-md5;modp1024
keylife=3600s
Code: [Se le
ct]
au
thby=secret
#!/bin/sh
auto=start
rm /etc/ipsec.conf
cp /root/ipsec.conf /etc/ipsec.conf
exit 0

Then set the correct mod:


Code: [Se le ct]
chmod --reference=/etc/zentyal/hooks/template.postsetconf /etc/zentyal/hooks/ipsec.postsetconf

Off course you have to adjust your backup file (/root/ipsec.conf) after each config change you made through the
web interface.

** Right now for some reason the IPsec service doesn't start automatically at system boot, so you have to log into
the web interface and restart the IPsec service
This bug was reported here: https://tracker.zentyal.org/issues/48 and it persist in Zentyal 3.4
Sources:
http://serverfault.com/questions/503864/openswan-tunnel-up-but-works-only-in-one-direction
https://wiki.debian.org/HowTo/openswan
https://lists.openswan.org/pipermail/users/2005-December/007589.html
Last Edit: June 10, 2014, 05:41:38 pm by vargax

Logged

Pages: 1 [2]

P RI N T

previous next
Zentyal Support Forum Zentyal Server Installation and C onfiguration IPSEC between Zentyal and Sonicwall not working

Jum p to:

=> Installation and Configuration

Powe re d by SMF 2.0.4 | Le gal Notice and Privacy Policy | SMF 20062011, Sim ple Machine s LLC
XHTML R SS W AP2

go