Professional Documents
Culture Documents
I need help
Stay tuned
Contribute
More
Home
user
password
Forever
Login
Register
Login
Professional support
Certified training
Become a partner
Zentyal Support Forum Zentyal Server Installation and C onfiguration IPSEC between Zentyal and Sonicwall not working
previous next
Pages: 1 [2]
Author
rahul_dhakan
Zen Apprentice
Posts: 12
Karma: +0/-0
P RI N T
Topic: IPSEC between Zentyal and Sonicwall not working (Read 905 times)
Re: IPSEC between Zentyal and Sonicwall not
working
Reply #15 on: October 17, 2013, 08:50:38 am
Quote from: rahul_dhakan on October 16, 2013, 09:25:47 am
jbahillo
Zentyal Staff
Zen Hero
Posts: 820
Karma: +52/-0
rahul_dhakan
Zen Apprentice
Posts: 12
Karma: +0/-0
christian
Guest
Are you sure that both Zentyal and Sonicwall have Public IP addresses?. Zentyal IPSEC module does not support at
this moment NATted tunnels for IPSEC.
Logged
Yup both Zentyal and sonicwall have public ip address and I can see tunnel up in at both the side.
Logged
rahul_dhakan
Zen Apprentice
Posts: 12
Karma: +0/-0
Current status is same as previous. It does not allow any protocol however I have allowed Any Any so it should
allow TCP/ICMP any but it doesn't. I show you ICMP and remote desktop only as I was testing only for them.
Logged
christian
Guest
Looking at some screen copy in documentation, it looks like there is no place for rules applied to "internet to
intranet"
Is there something I missed or do you confirm 3.x interface is built this way ?
Logged
rahul_dhakan
Zen Apprentice
Posts: 12
Karma: +0/-0
We can apply manual rules by putting iptables rules in /etc/zentyal/hooks/firewall.postservice and I added rules
accordingly but it does not work. I have called bye to Zentyal for now and configured PfSense yesterday with same
rule to Sonicwall and it works perfectly. I appreciate your help and response.
Logged
ugly_joe
Zen Apprentice
Posts: 2
Karma: +0/-0
i have exactly same problem. Its pfsense on other side, so its zentyal firewall/routing bug.
Logged
vargax
Zen Apprentice
Posts: 5
Karma: +1/-0
Hi,
After a lot of searching and debugging I could setup the IPSec LAN to LAN VPN in Zentyal 3.3. You have to create a
Firewall postservice script in /etc/zentyal/hooks allowing incoming connections from the remote subnet:
Code: [Se le ct]
cd /etc/zentyal/hooks
cp template.postservice firewall.postservice
nano firewall.postservice
At the end of the file, before exit 0 add "iptables -A ffwdrules -s <remote_subnet> -j ACCEPT" for example:
Code: [Se le ct]
# Hook scripts need to be executable by root (note that examples are not).
iptables -A ffwdrules -s 192.168.9.0/24 -j ACCEPT
iptables -A ffwdrules -s 192.168.10.0/24 -j ACCEPT
iptables -A ffwdrules -s 192.168.12.0/24 -j ACCEPT
exit 0
In my case the local subnet is 192.168.11.0/24 and I have 3 remote subnets: 192.168.9.0/24 192.168.10.0/24
192.168.12.0/24, so I have 3 IPsec LAN to LAN tunnels.
References:
http://wiki.openwrt.org/doc/howto/netfilter
http://trac.zentyal.org/ticket/7881
Logged
allan
Zen Apprentice
Posts: 1
Karma: +0/-0
vargax
Zen Apprentice
Posts: 5
Karma: +1/-0
Thank you Vargax, we've been having the exact same issue and your solution worked perfectly!
Logged
Now in the firewall module you would find two new sections (you may be need to reboot your server):
- From external to internal networks
- Zentyal services
In the External to Internal networks you can create rules to allow traffic between IPsec subnets:
And then create a new rule in External to Internal Networks allowing traffic from subnets to subnets:
You will note that now you can access hosts in the subnets but you can not access the servers through its private
IPs:
- Server
- Server
- Server
- Server
A
B
A
B
can
can
can
can
not
not
not
not
access
access
access
access
hosts in
hosts in
services
services
subnet B
subnet A
in Server B through B's private ip
in Server A through A's private ip
To solve this you have to edit /etc/ipsec.conf and add the proper leftsourceip and rightsourceip parameters in each
connection:
Code: [Se le ct]
# VPN: l222 (ipsec): 11.11.11.11 <=> 10.10.10.10
conn l222
left=11.11.11.11
right=10.10.10.10
rekey=yes
keyingtries=0
leftsubnet=192.168.11.0/24
leftsourceip=192.168.11.1 # !!!!!!!!!!!!!!!!!!!
rightsubnet=192.168.10.0/24
rightsourceip=192.168.10.1 # !!!!!!!!!!!!!!!!!!!
pfs=yes
auth=esp
keyexchange=ike
ike=3des-md5
ikelifetime=28800s
esp=3des-md5;modp1024
keylife=3600s
authby=secret
After this a
you
need to restart the ipsec service:
uto=start
Code:
[Se
le
ct]
# VPN
:h
ay
uelo (ipsec): 11.11.11.11 <=> 9.9.9.9
c
so
en
rn
vih
ca
eyu
ie
pl
so
ec restart
left=11.11.11.11
right=9.9.9.9
Unfortunately
this
rekey=
yes changes are lost when you reboot the server or add a new IPsec connection... Right now my
solution iske
to
yin
have
gtries
a=0
copy of the ipsec.conf file and restore it after each reboot...
leftsubnet=192.168.11.0/24
left
sourceip=192.168.11.1 # !!!!!!!!!!!!!!!!!!!
After adjust
ipsec.conf:
rightsubnet=192.168.9.0/24
rightsourceip=192.198.9.1 # !!!!!!!!!!!!!!!!!!!
Code: [Se le ct]
pfs=yes
cp /etc/i
ap
us
te
hc
=.
ec
so
pnf /root/ipsec.conf
nano /etc
k/
ez
ye
en
xt
cy
ha
al
n/
gh
eo
=o
ik
ks
e/ipsec.postsetconf
ike=3des-md5
ikelifetime=28800s
esp=3des-md5;modp1024
keylife=3600s
Code: [Se le
ct]
au
thby=secret
#!/bin/sh
auto=start
rm /etc/ipsec.conf
cp /root/ipsec.conf /etc/ipsec.conf
exit 0
Off course you have to adjust your backup file (/root/ipsec.conf) after each config change you made through the
web interface.
** Right now for some reason the IPsec service doesn't start automatically at system boot, so you have to log into
the web interface and restart the IPsec service
This bug was reported here: https://tracker.zentyal.org/issues/48 and it persist in Zentyal 3.4
Sources:
http://serverfault.com/questions/503864/openswan-tunnel-up-but-works-only-in-one-direction
https://wiki.debian.org/HowTo/openswan
https://lists.openswan.org/pipermail/users/2005-December/007589.html
Last Edit: June 10, 2014, 05:41:38 pm by vargax
Logged
Pages: 1 [2]
P RI N T
previous next
Zentyal Support Forum Zentyal Server Installation and C onfiguration IPSEC between Zentyal and Sonicwall not working
Jum p to:
Powe re d by SMF 2.0.4 | Le gal Notice and Privacy Policy | SMF 20062011, Sim ple Machine s LLC
XHTML R SS W AP2
go