asked on
Routing Traffic through IPsec
Ok experts here is my scenario
I have a Ipsec established from my main site to the cloud server I also have a ipsec vpn established between remote site to main site. I have added the remote sites IP to the cloud ipsec. But I can not ping the cloud server from the remote site
Cloud server: 182.XX.XX.66
Main site IPCOP box : 10.160.X.1
Remote office 10.10.X.1
I added a route thinking it may be that
Route add -net 10.10.x.0 netmask 255.255.0.0 gw 10.160.X.1
Now when I ping its Destination port unreachable.
I checked the firewall logs and I see IPsec-red-rejected
I know IPCOP is blocking the traffic but I am not sure what I need to do to tell it to allow packets through.
Your help with this will be greatly appreciated.
I have a Ipsec established from my main site to the cloud server I also have a ipsec vpn established between remote site to main site. I have added the remote sites IP to the cloud ipsec. But I can not ping the cloud server from the remote site
Cloud server: 182.XX.XX.66
Main site IPCOP box : 10.160.X.1
Remote office 10.10.X.1
I added a route thinking it may be that
Route add -net 10.10.x.0 netmask 255.255.0.0 gw 10.160.X.1
Now when I ping its Destination port unreachable.
I checked the firewall logs and I see IPsec-red-rejected
I know IPCOP is blocking the traffic but I am not sure what I need to do to tell it to allow packets through.
Your help with this will be greatly appreciated.
VPNInternet Protocol SecuritySoftware Firewalls
Last Comment
noci
ASKER
do I need to create the tunnel at the main site or the remote site to the cloud server.
I already have a tunnel from the main site the cloud server with the 10.10.x.x to 182.xx.xx.66 in the ipcop.
When you say NAT 10.160x.99 into 182.xx.xx.66 with source being 10.160.x.1(IPCOP).
Will this command work
iptables -t nat -A POSTROUTING -s 10.160.x.99 -d 182.xx.xx.66 -j SNAT --to 10.160.x.1
I do apologize if I did not understand your answer completely, I don't know much about natting and before I break IPCOP that is in production environment I would like to understand what I am doing and learn from it.
I already have a tunnel from the main site the cloud server with the 10.10.x.x to 182.xx.xx.66 in the ipcop.
When you say NAT 10.160x.99 into 182.xx.xx.66 with source being 10.160.x.1(IPCOP).
Will this command work
iptables -t nat -A POSTROUTING -s 10.160.x.99 -d 182.xx.xx.66 -j SNAT --to 10.160.x.1
I do apologize if I did not understand your answer completely, I don't know much about natting and before I break IPCOP that is in production environment I would like to understand what I am doing and learn from it.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
A route command is in general not needed explicitely, (verify that with" netstat -rn )
So you need to verify that traffic from 10.10.x.1 is also allowed through the tunnel to the remote site.
And that data traveling from remote with address of cloud server is allowed through the tunnel between remote & main site.
- keep tunnels as is:
What you can do is NAT on the IPCOP box. f.e. make 10.160.x.99 nat into 182.xx.xx.66
with sourcenat 10.160.x.1
So remote should connect to 10.160.x.99 to actualy go to the Cloud.
- create new tunnels for 10.10.x.X -> 182.xx.xx.66 everywhere.