Hello,
finally I solved my problem as follows:
1. Uncheck "use default gateway on remote network" in warrior (Windows)
2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 10.0.1.123
3. Run route192.bat as administrator (when vpn connection is established)
It works as expected, traffic to 192.168.2.0 goes through VPN, the rest through
warrior's local gateway.
# When using PPTP (npppd) I do not need to add extra route to "LAN behind
VPNgateway" (2.) - it works by default. Why?
GW88# grep "^[^#;]" /etc/iked.conf
ikev2 "roadWarrior" passive ipcomp esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.123 \
tag "$id" tap enc0
GW88# grep "^[^#;]" /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
On Wed, 12 Dec 2018 21:45:25 +0100
Radek <alee...@gmail.com> wrote:
> Hello again,
>
> I am using PPTP VPN (npppd) and it works as expected on windows clients -
> traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The
> "rest" is going through clients' gateway - DO NOT "use default gateway on
> remote network".
>
> I have been playing around with iked.conf, pf.conf and ipsec.conf - still
> cannot get it working in this manner.
> I do not want to use OpenIKED as a internet gateway, VPN is needed only to
> access "LAN behind that VPNgateway".
>
> Could someone please help me with this problem? Christmas is coming...
>
> Many thanks!
>
> On Fri, 7 Dec 2018 20:20:21 +0100
> Radek <alee...@gmail.com> wrote:
>
> > Hello,
> >
> > I am still almost in the same point.
> > If I want to reach my GW88_LAN I have to check "use default gateway on
> > remote network" box (Windows roadwarrior), but this option makes me
> > reaching the internet through GW88.
> >
> > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's
> > "local" gateway for the rest of the traffic - unchecked box "use default
> > gateway on remote network".
> > If the box is unchecked I am not able to access 192.168.2.0/24.
> >
> > What should I change in my confs to get it working in this manner?
> >
> > GW88# grep "^[^#;]" /etc/pf.conf
> > set skip on {lo, enc}
> > match in all scrub (no-df random-id)
> > match out all scrub (no-df random-id)
> > match out on egress from lan:network to any nat-to egress
> > block log all
> > pass out quick on egress inet received-on enc0 nat-to (egress)
> > pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
> > pass in on egress proto {ah,esp}
> > pass out on egress
> > pass on lan
> >
> >
> > GW88# grep "^[^#;]" /etc/iked.conf
> > ikev2 "roadWarrior" passive esp \
> > from 0.0.0.0/0 to 10.0.1.0/24 \
> > from 192.168.2.0/24 to 10.0.1.0/24 \
> > local 4.5.6.88 peer any \
> > srcid 4.5.6.88 \
> > config address 10.0.1.0/24 \
> > config netmask 255.255.255.0 \
> > config name-server 8.8.8.8
> >
> > On Fri, 30 Nov 2018 15:06:28 +0100
> > Radek <alee...@gmail.com> wrote:
> >
> > > Hello,
> > >
> > > Thank all of you for your time and your help in this matter!
> > > I think that the ISP of A.B.C.0/23 is filtering/blocking some
> > > certificates.
> > > I have moved VPN server and clients out of A.B.C.0/23. They can connect
> > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect
> > > to VPN serv.
> > > Site-to-Site VPN is doing its job.
> > >
> > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY
> > > if "use default gateway on remote network" is set.
> > > I need to make road_warriors:
> > > - reaching GW88_LAN_machines 192.168.2.254/24
> > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> > > - force road_warriors to use its own gateway for the rest of traffic -
> > > unticked "use default gateway on remote network".
> > >
> > > I was playing around with iked.conf and pf.conf but I did not find the
> > > way to make it work.
> > > I will be grateful if anyone could help me with that.
> > >
> > > My network diagram and configs of GW88:
> > >
> > > GW88$ cat /etc/hostname.enc0
> > > inet 10.0.1.254 255.255.255.0
> > >
> > > GW88$ cat /etc/iked.conf
> > > #
> > > ikev2 "roadWarrior" passive esp \
> > > from 192.168.2.0/24 to 10.0.1.0/24 \
> > > local 4.5.6.88 peer any \
> > > srcid 4.5.6.88 \
> > > config address 10.0.1.0/24
> > > #
> > > #
> > > remote_gw_GW119 = "1.2.3.119" # fw_GW119
> > > remote_lan_GW119_1 = "172.16.1.0/24"
> > > remote_lan_GW119_2 = "172.16.2.0/24"
> > >
> > > local_gw_GW88_2 = "192.168.2.254"
> > > local_lan_GW88_2 = "192.168.2.0/24"
> > >
> > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
> > > psk "pkspass"
> > >
> > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
> > > psk "pskpass"
> > >
> > >
> > > GW88$ cat /etc/pf.conf
> > > set skip on {lo, enc}
> > >
> > > match in all scrub (no-df random-id)
> > > match out all scrub (no-df random-id)
> > >
> > > match out on egress from lan:network to any nat-to egress
> > >
> > > block log all
> > > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> > > pass in on egress proto {ah,esp}
> > > pass out on egress
> > > pass on lan
> > >
> > > table <bruteforce> persist counters
> > > pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
> > > flags S/SA \
> > > set prio (6, 7) keep state \
> > > (max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce>
> > > flush global)
> > >
> > > icmp_types = "{ echoreq, unreach }"
> > > pass inet proto icmp all icmp-type $icmp_types
> > >
> > >
> > >
> > > +------------+
> > > |road_warrior|
> > > +---------+10.0.1.0/24 |
> > > | +------------+
> > > |
> > > ikev2
> > > |
> > > |
> > > v
> > >
> > > 4.5.6.88 1.2.3.119
> > > +---------+ +----------+
> > > | |
> > > | GW88 | <--+site-to-site VPN+------> | GW119 |
> > > +--+------+ +-------+--+
> > > | |
> > > +-----+192.168.1.254/24 |
> > > | |
> > > | 172.16.1.254/24---+
> > > | |
> > > +---+-+192.168.2.254/24 |
> > > | | |
> > > | | +-----------+ |
> > > | +---+192.168.2.1| 172.16.2.254/24---|
> > > | +------------+
> > > |
> > > |----+192.168.3.254/24
> > >
> > > Thanks!
> > >
> > > On Thu, 8 Nov 2018 14:04:23 +0100
> > > Radek <alee...@gmail.com> wrote:
> > >
> > > > I've been playing around with netcat.
> > > > I noticed that the netcat process on my VPN_server does not show any
> > > > "X" on stdout for ports 4500 and 1701.
> > > >
> > > > May it be relevant to my VPN issue?
> > > >
> > > > VPN_serv is A.B.C.77/23 (it is not behind NAT):
> > > >
> > > > $ pfctl -s rules
> > > > pass all flags S/SA
> > > >
> > > > $ nc -u -l 500
> > > > XXXX
> > > >
> > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
> > > > A.B.C.69/23$ nc -vuz A.B.C.77 4500
> > > > $ nc -u -l 4500
> > > > NOTHING IS HERE
> > > >
> > > > $ nc -u -l 4499
> > > > XXXX
> > > >
> > > > $ nc -u -l 4501
> > > > XXXX
> > > >
> > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
> > > > A.B.C.69/23$ nc -vuz A.B.C.77 1701
> > > > $ nc -u -l 1701
> > > > NOTHING IS HERE
> > > >
> > > > $ nc -u -l 22
> > > > XXXX
> > > >
> > > > $ nc -u -l 1234
> > > > XXXX
> > > >
> > > > On Wed, 7 Nov 2018 12:17:09 +0100
> > > > Radek <alee...@gmail.com> wrote:
> > > >
> > > > > Yesterday I tried this scenario:
> > > > >
> > > > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
> > > > > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
> > > > > VPN_IKEv2 - A.B.C.77/23, not NATed
> > > > >
> > > > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was
> > > > > having two active VPN conn in one time.
> > > > > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was
> > > > > working fine.
> > > > >
> > > > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2
> > > > > omitting VPN_L2TP - I got 809.
> > > > >
> > > > > Removing home_router which is between Win7_warrior and 1.2.3.119 does
> > > > > not change anything.
> > > > >
> > > > > Another thing:
> > > > > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp
> > > > > server. Then I move to public A.B.C.77/23 editing /etc/hostname,
> > > > > mygate, resolv.conf. Maybe I missed something in network conf that is
> > > > > important for OpenIKED?
> > > > >
> > > > > Any idea?
> > > > >
> > > > >
> > > > > On Tue, 6 Nov 2018 11:21:52 +0100
> > > > > Radek <alee...@gmail.com> wrote:
> > > > >
> > > > > > Hello Kim,
> > > > > >
> > > > > > > My question was concerning the VPN_server, is the server NATed?
> > > > > > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not
> > > > > > NATed.
> > > > > >
> > > > > > > How is A.B.C.0/23 connected to the 'rest' of the world?
> > > > > > > Router/Firewall ...
> > > > > > I only have switches in my building.
> > > > > > All routers/firewalls of my network are in another building, I do
> > > > > > not know the whole network structure, devices, security policies...
> > > > > > but I have never noticed that any ports were blocked.
> > > > > >
> > > > > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23
> > > > > > and it works like a charm.
> > > > > > https://community.riocities.com/openike_openbsd.html
> > > > > > But I can not setup a VPN_server for road warriors.
> > > > > >
> > > > > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can
> > > > > > connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM
> > > > > > network).
> > > > > > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I
> > > > > > conclude that it is not any Router/FW problem.
> > > > > >
> > > > > > On Tue, 6 Nov 2018 07:48:37 +0100
> > > > > > Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
> > > > > >
> > > > > > > Good morning Radek,
> > > > > > >
> > > > > > > I have a suspicion ...
> > > > > > >
> > > > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior
> > > > > > > > and puffy_warrior if they are connecting from A.B.C.0/23 (it
> > > > > > > > does not matter if warrior has public IP or it is behind NAT).
> > > > > > > > The rest of the world fails to connect the VPN_server.
> > > > > > > My question was concerning the VPN_server, is the server NATed?
> > > > > > > How is A.B.C.0/23 connected to the 'rest' of the world?
> > > > > > > Router/Firewall ...
> > > > > > >
> > > > > > > Cheers,
> > > > > > > Kim
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > radek
> > > > >
> > > > >
> > > > > --
> > > > > radek
> > > >
> > > >
> > > > --
> > > > radek
> > >
> > >
> > > --
> > > radek
> >
> >
> > --
> > radek
>
>
> --
> radek
--
radek
