Routing Traffic through IPsec

Ok experts here is my scenario

I have a Ipsec established from my main site to the cloud server I also have a ipsec vpn established between remote site to main site. I have added the remote sites IP to the cloud ipsec. But I can not ping the cloud server from the remote site
 
Cloud server:                                 182.XX.XX.66
Main site IPCOP box :                   10.160.X.1
Remote office                                 10.10.X.1

I added a route thinking it may be that
Route add -net 10.10.x.0 netmask 255.255.0.0 gw 10.160.X.1
Now when I ping its Destination port unreachable.
I checked the firewall logs and I see  IPsec-red-rejected
I know IPCOP is blocking the traffic but I am not sure what I need to do to tell it to allow packets through.

Your help with this will be greatly appreciated.
cmotiwalaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
A tunnel has a masking specification. so all traffic that is allowed through the first tunnel should also be allowed through the 2nd tunnel.

A route command is in general not needed explicitely, (verify that with" netstat -rn )
So you need to verify that traffic from 10.10.x.1 is also allowed through the tunnel to the remote site.
And that data traveling from remote with address of cloud server is allowed through the tunnel between remote & main site.

- keep tunnels as is:
What you can do is NAT on the IPCOP box.  f.e. make 10.160.x.99 nat into 182.xx.xx.66
with sourcenat 10.160.x.1
So remote should connect to 10.160.x.99 to actualy go to the Cloud.

- create new tunnels for 10.10.x.X -> 182.xx.xx.66 everywhere.
0
cmotiwalaAuthor Commented:
do I need to create the tunnel at the main site or the remote site to the cloud server.

I already have a tunnel from the main site the cloud server with the 10.10.x.x to 182.xx.xx.66 in the ipcop.
When you say NAT 10.160x.99 into 182.xx.xx.66 with source being 10.160.x.1(IPCOP).

Will this command work

iptables -t nat -A POSTROUTING -s 10.160.x.99 -d 182.xx.xx.66 -j SNAT --to 10.160.x.1

I do apologize if I did not understand your answer completely, I don't know much about natting  and before I break IPCOP that is in production environment I would like to understand what I am doing and learn from it.
0
nociSoftware EngineerCommented:
If you choose to do parallel tunnels then you need to , create a tunnel on every hop  from source to target that contain as endpoint definitions the original source and the ultimate target.

Alternatively you can use NATon the existing tunnels by faking a server on the central router, and on that router NAT all traffic the next hop until you can reach the target directly.
This requires a address for the ultimate target on every intermediate.

(Tunnels will only let traffic pass for the endpoint you mention.)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.