Show Posts
1
Virtual private networks / Raodwarrior IPSec legacy setup not fully working
« on: February 21, 2024, 09:29:53 am »
Hi,
follwing scenario: an IPSec roadwarrior setup in the legacy variant with card terminals who don't talk to me, so no logging accessible from the clientside.
The goal: you connect a card terminal to the internet at home, it connects via VPN to a so called connector and can be used as if it's connected locally.
There is a 3 step process involved from the connector point of view: knowing the card terminal , assigning the terminal to itself and pairing the terminal with itself.
The simple test setup with one device and a /32-net as virtual ip-pool was working as intended, hence I presume the firewall rules are also fine.
For "production" I need a bigger pool, so I defined a /24-net. Clients are getting a virtual IP as intended, I can ping them from the connector and the first 2 steps of the 3 step process are working fine - the third however isn't. It uses port 4742 tcp/udp.
Which begs the question : since the only difference in setup (iirc) is the size of the virtual ip net, is it at fault? If so, is there a way to assign static ips via the legacy interface?
In phase 2 configuration I declared the target net where the connector is located as the local subnet, did I accidentaly declare a split tunnel and that is causing problems?
Connector : 192.168.77.21
VPN net not fully working: 172.100.16.0/24
VPN net fully working: 172.100.16.101/32
I find it hard to troubleshoot, because I can only look at one side, and it's not throwing me any errors. Any help is greatly appreciated!
Do I need to switch to the new gui and assign static IPs ?
follwing scenario: an IPSec roadwarrior setup in the legacy variant with card terminals who don't talk to me, so no logging accessible from the clientside.
The goal: you connect a card terminal to the internet at home, it connects via VPN to a so called connector and can be used as if it's connected locally.
There is a 3 step process involved from the connector point of view: knowing the card terminal , assigning the terminal to itself and pairing the terminal with itself.
The simple test setup with one device and a /32-net as virtual ip-pool was working as intended, hence I presume the firewall rules are also fine.
For "production" I need a bigger pool, so I defined a /24-net. Clients are getting a virtual IP as intended, I can ping them from the connector and the first 2 steps of the 3 step process are working fine - the third however isn't. It uses port 4742 tcp/udp.
Which begs the question : since the only difference in setup (iirc) is the size of the virtual ip net, is it at fault? If so, is there a way to assign static ips via the legacy interface?
In phase 2 configuration I declared the target net where the connector is located as the local subnet, did I accidentaly declare a split tunnel and that is causing problems?
Connector : 192.168.77.21
VPN net not fully working: 172.100.16.0/24
VPN net fully working: 172.100.16.101/32
I find it hard to troubleshoot, because I can only look at one side, and it's not throwing me any errors. Any help is greatly appreciated!
Do I need to switch to the new gui and assign static IPs ?