Help with routing from site 1 to site 3 (site1==site2==site3)
Freshman Member
Hi,
I've the following situation:
SITE1(Zyxel)==IPsec tunnel==SITE2(Zyxel)==IPsec tunnel==SITE3(StrongSwan)
Site1:
- Zyxel USG FLEX 500, subnet 192.168.1.0/24
Site2:
- Zyxel ZyWall 110, subnet 192.168.2.0/24
Site3:
- Ubuntu, StrongSwan, subnet 192.168.3.0/24
Hosts from Site1 can ping hosts from Site2 (and vice versa).
Hosts from Site2 can ping hosts from Site3 (and vice versa).
Now I want to make Site3 reachable from Site1 (trough Site2 tunnel).
Here are the Site3 iptables:
And here is the policy route on the Site2:
Policy route on the Site3:
If I try to traceroute or ping Site3 (192.168.3.1) from the Site1, I can see the forwarding logs on the Site2, but ping doesn't get response.
What else do I have to setup to get the route from Site1 to Site3?
I've the following situation:
SITE1(Zyxel)==IPsec tunnel==SITE2(Zyxel)==IPsec tunnel==SITE3(StrongSwan)
Site1:
- Zyxel USG FLEX 500, subnet 192.168.1.0/24
Site2:
- Zyxel ZyWall 110, subnet 192.168.2.0/24
Site3:
- Ubuntu, StrongSwan, subnet 192.168.3.0/24
Hosts from Site1 can ping hosts from Site2 (and vice versa).
Hosts from Site2 can ping hosts from Site3 (and vice versa).
Now I want to make Site3 reachable from Site1 (trough Site2 tunnel).
Here are the Site3 iptables:
And here is the policy route on the Site2:
Policy route on the Site3:
If I try to traceroute or ping Site3 (192.168.3.1) from the Site1, I can see the forwarding logs on the Site2, but ping doesn't get response.
What else do I have to setup to get the route from Site1 to Site3?
0
Accepted Solution
-
Thanks for the hint, that would probably work and I'll definitely try it out.Zyxel_Kevin said:Hi @OldFox,
1)Kindly check the VPN profile which connected site3 on site2 ,The local policy(phase2) shall involve site1 subnet.
Currently I've switched to PLAN-B and did the following:
- switched from "Remote Access (Server Role)" to "Site-to-site with Dynamic Peer"
- switched to IKEv2 with certs auth.
- created another tunnel from site3 to site 1, so I have 3 tunnels now:
Site1
/ \
Site2 -- Site3
Thanks for your help guys!0
All Replies
-
Does Site3(Ubuntu) recevie ICMP request from Site 1 ?
Could you capture packet on site3 ?0 -
Could you please give me any hints, how to do that?WJS said:Does Site3(Ubuntu) recevie ICMP request from Site 1 ?
Could you capture packet on site3 ?
Do I need any additional setup on the Site3(ubuntu)... to route 192.168.3.0/24 to 192.168.1.0/24?0 -
In order to check whether ICMP request reachable . You can perform CLI on ubuntu. tcpdump -nnvi [interface] icmp.
It seem the traffic shall pass through site2 correctly .Site3 is the last node we might check
0 -
OldFox,
Do you use ufw firewall rules or all iptables rules edit yourself ?
ufw default rule will write block log in /var/sys/syslog.
You can check if traffic from site1 to site3 blocked.
I think you need to add allow 192.168.1.0/24 to 192.168.3.0/24 in FOWARD chain
# sudo iptables -I FORWARD 1 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
0 -
0
-
Very useful hint, thanks! I'll try it and let you know.WJS said:In order to check whether ICMP request reachable . You can perform CLI on ubuntu. tcpdump -nnvi [interface] icmp.
It seem the traffic shall pass through site2 correctly .Site3 is the last node we might check0 -
I didn't know about the concentrator. The example HERE looks almost exactly like in my case. Except that the connection between site 2 and site 1 is "site-to-site",PeterUK said:
but connection between site 2 and site 3 is "Remote Access (Server Role)"(site 2), because site 3 has dynamic IP (or I'm not sure how to setup site-to-site in that case - site3 is dynamic ip + strongswan).0 -
I didn't know about the concentrator. The example HERE looks almost exactly like in my case. Except that the connection between site 2 and site 1 is "site-to-site",PeterUK said:
but connection between site 2 and site 3 is "Remote Access (Server Role)"(site 2), because site 3 has dynamic IP (or I'm not sure how to setup site-to-site in that case - site3 is dynamic ip + strongswan).0 -
Nope, package doesn't reach the Site3. It's probably stuck somewhere on Site2. What else can I try?OldFox said:
Very useful hint, thanks! I'll try it and let you know.WJS said:In order to check whether ICMP request reachable . You can perform CLI on ubuntu. tcpdump -nnvi [interface] icmp.
It seem the traffic shall pass through site2 correctly .Site3 is the last node we might check0 -
Yes you need to use concentrator all site to site even with dynamic IP you set update DDNS on site with dynamic IP and the site with static IP to link to that site with DDNS instead of IP.
0
Ally Member
Master Member
Guru Member
Categories
- All Categories
- 388 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 913 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 330 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 875 Nebula FAQ
- 414 Security FAQ
- 220 Switch FAQ
- 193 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 61 Security Highlight
