Help with routing from site 1 to site 3 (site1==site2==site3)

OldFox
OldFox Posts: 11
Hi,
I've the following situation:
SITE1(Zyxel)==IPsec tunnel==SITE2(Zyxel)==IPsec tunnel==SITE3(StrongSwan)

Site1:
- Zyxel USG FLEX 500, subnet 192.168.1.0/24

Site2:
- Zyxel ZyWall 110, subnet 192.168.2.0/24

Site3:
- Ubuntu, StrongSwan, subnet 192.168.3.0/24

Hosts from Site1 can ping hosts from Site2 (and vice versa).
Hosts from Site2 can ping hosts from Site3 (and vice versa).

Now I want to make Site3 reachable from Site1 (trough Site2 tunnel).

Here are the Site3 iptables:


And here is the policy route on the Site2:


Policy route on the Site3:


If I try to traceroute or ping Site3 (192.168.3.1) from the Site1, I can see the forwarding logs on the Site2, but ping doesn't get response.

 
What else do I have to setup to get the route from Site1 to Site3?

Accepted Solution

  • OldFox
    OldFox Posts: 11
    Answer ✓
    Hi @OldFox,
    1)Kindly check the VPN  profile which connected site3 on site2 ,The local policy(phase2) shall involve site1 subnet.

    Thanks for the hint, that would probably work and I'll definitely try it out.
    Currently I've switched to PLAN-B and did the following:
    - switched from "Remote Access (Server Role)" to "Site-to-site with Dynamic Peer"
    - switched to IKEv2 with certs auth.
    - created another tunnel from site3 to site 1, so I have 3 tunnels now:

          Site1
       /         \
    Site2 --   Site3

    Thanks for your help guys!
«1

All Replies

  • WJS
    WJS Posts: 38  Freshman Member
    Does  Site3(Ubuntu)  recevie ICMP request from Site 1 ?
    Could you capture packet on site3 ?
  • OldFox
    OldFox Posts: 11
    edited April 26
    WJS said:
    Does  Site3(Ubuntu)  recevie ICMP request from Site 1 ?
    Could you capture packet on site3 ?
    Could you please give me any hints, how to do that? 

    Do I need any additional setup on the Site3(ubuntu)... to route 192.168.3.0/24 to 192.168.1.0/24?
  • WJS
    WJS Posts: 38  Freshman Member
    edited April 26
    In order to check whether  ICMP request reachable . You can perform CLI on ubuntu. tcpdump -nnvi [interface] icmp.
    It seem the traffic shall pass through site2 correctly .Site3 is the last node we might check

  • zyman2008
    zyman2008 Posts: 147  Ally Member
    OldFox,
    Do you use ufw firewall rules or all iptables rules edit yourself ? 
    ufw default rule will write block log in /var/sys/syslog.
    You can check if traffic from site1 to site3 blocked.

    I think you need to add allow 192.168.1.0/24 to 192.168.3.0/24 in FOWARD chain
    # sudo iptables -I FORWARD 1 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT

  • PeterUK
    PeterUK Posts: 1,342  Guru Member
    Use the concentrator 
    Knowledge Base | Zyxel
  • OldFox
    OldFox Posts: 11
    WJS said:
    In order to check whether  ICMP request reachable . You can perform CLI on ubuntu. tcpdump -nnvi [interface] icmp.
    It seem the traffic shall pass through site2 correctly .Site3 is the last node we might check

    Very useful hint, thanks! I'll try it and let you know.
  • OldFox
    OldFox Posts: 11
    PeterUK said:
    Use the concentrator 
    Knowledge Base | Zyxel
    I didn't know about the concentrator. The example HERE looks almost exactly like in my case. Except that the connection between site 2 and site 1 is "site-to-site",
    but connection between site 2 and site 3 is "Remote Access (Server Role)"(site 2), because site 3 has dynamic IP (or I'm not sure how to setup site-to-site in that case - site3 is dynamic ip + strongswan).
  • OldFox
    OldFox Posts: 11
    PeterUK said:
    Use the concentrator 
    Knowledge Base | Zyxel
    I didn't know about the concentrator. The example HERE looks almost exactly like in my case. Except that the connection between site 2 and site 1 is "site-to-site",
    but connection between site 2 and site 3 is "Remote Access (Server Role)"(site 2), because site 3 has dynamic IP (or I'm not sure how to setup site-to-site in that case - site3 is dynamic ip + strongswan).
  • OldFox
    OldFox Posts: 11
    OldFox said:
    WJS said:
    In order to check whether  ICMP request reachable . You can perform CLI on ubuntu. tcpdump -nnvi [interface] icmp.
    It seem the traffic shall pass through site2 correctly .Site3 is the last node we might check

    Very useful hint, thanks! I'll try it and let you know.
    Nope, package doesn't reach the Site3. It's probably stuck somewhere on Site2. What else can I try?
  • PeterUK
    PeterUK Posts: 1,342  Guru Member

    Yes you need to use concentrator all site to site even with dynamic IP you set update DDNS on site with dynamic IP and the site with static IP to link to that site with DDNS instead of IP.


Security Highlight