VPN issue

Post Reply
hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

VPN issue

Post by hardwareRVR » September 26th, 2017, 11:28 am

Hello,
I'm testing Ipfire to renew our old Ipcop during an puiblic connection change and Now I'm testing VPN connection between the firewall because I need to have two VPN connections with our client.
Situation:
Puiblic 1 net > Ipcop 2.1.9 > LAN1+DMZ1
Public 2 net > IpFire 2.19 x86_64 - 113 > LAN2+DMZ2
The 2 VPN connections from LAN1 to LAN2 andLAN1 to DMZ2 are made in Ikev1 and ESP (128bit AES, SHA1, MODP1536), in both firewall says connected.
I have a web server on LAN2 with port 80 and 21 open on public 2 IP.
-------------------
Firewall Rules:
ACCEPT, Proto = TCP, Source = Any, Destination = Firewall (RED): 80 ->LAN2 IP: 80
ACCEPT, Proto = TCP, Source = Any, Destination = Firewall (RED): 21 ->LAN2 IP: 21
--------------------
1st issue: on the documentation says that need to open the port 80 and the 21 on RED in "incomning firewall access" to reach it from public, but with or without these rules the web/ftp the server is visible from public IP.
2nd issue:
a) I want to reach the webserver across VPN using it's LAN2 IP from my PC on LAN1, but I'm not able to reach it (connection timeout), if I reach it from public all is ok.
b) If I Ping it with LAN2 IP or Public 2 IP is ok
c) I test a FTP connection: using LAN2 IP in VPN the connection is OK but it don't show the LIST, on public all is OK.

Test made with TCPDUMP in SSH checking the connection across VPN
With PING command all visible in both LAN
With HTTP connection I see the packets on Ipcop LAN1 from my PC to LAN2 webserver IP with a 0 length replay from LAN2 webserver IP, but any packet on Ipfire LAN interface.
With FTP connection I see the packets until the connection in both LAN interface and after some packet on ftp-data port with zero length only visible in the LAN2 Ipfire interface.
Seems that the ports 20 and 80 aren't able to pass througth the VPN.

Strange issue:
yesterday the same problem so I have tryed to changed the LAN2 IP to another block (before 192.168.10.x and after 192.168.11.x) and magically the WEB and FTP through VPN become OK, this morming without any change from yesterday the same problem than yesterday.

What I'm wrong ?

Thank you
Andrea.
Top
Post Reply 1 post • Page 1 of 1

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: VPN issue

Post by Arne.F » September 26th, 2017, 3:14 pm

1st issue: on the documentation says that need to open the port 80 and the 21 on RED in "incomning firewall access" to reach it from public, but with or without these rules the web/ftp the server is visible from public IP.
Have you really tested this from RED? If you try to connect the RED IP from green you can reach the port because this traffic came in via green and was not filtered.
Strange issue:
yesterday the same problem so I have tryed to changed the LAN2 IP to another block (before 192.168.10.x and after 192.168.11.x) and magically the WEB and FTP through VPN become OK, this morming without any change from yesterday the same problem than yesterday.
Which IP area use the IPCop ?
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Re: VPN issue

Post by hardwareRVR » September 27th, 2017, 7:04 am

Arne.F wrote:
September 26th, 2017, 3:14 pm
1st issue: on the documentation says that need to open the port 80 and the 21 on RED in "incomning firewall access" to reach it from public, but with or without these rules the web/ftp the server is visible from public IP.
Have you really tested this from RED? If you try to connect the RED IP from green you can reach the port because this traffic came in via green and was not filtered.
Yes, with my PC use the provider 1 using Ipcop and the red of IpFire is on a second provider, the same using a smartphone with GSM connection.
Strange issue:
yesterday the same problem so I have tryed to changed the LAN2 IP to another block (before 192.168.10.x and after 192.168.11.x) and magically the WEB and FTP through VPN become OK, this morming without any change from yesterday the same problem than yesterday.
Which IP area use the IPCop ?
Ipcop use the 192.168.0.x area, I know this that they not be in the same area, I'm using from at least 7 years VPN connections between 3 different network using Ipcop and never find these problems.
The abnormal behaviour is that one day with .10.x network don't run, modifing the net to .11.x it run and the day after don't run again and today don't run.
If I try to connect a web server on Ipcop Green from IpFire Green using LAN IP address to pass through VPN it run OK, non in the opposite way.

I add a information: using SSH to connect LAN IP of Ipfire from Ipcop LAN using VPN is all OK.

Found the issue ...... ach....
WEB PROXY on Ipcop not properly set
Unset and web server still visible ...... bah.....try tomorrow.



Why.

Thanks in advance
Andrea T.

Post Reply