How to make this working through IPSec

Hello I have a problem.
I will that a PC (in the cloud) that can connect to an device in the orange network on the other site of the VPN.
The IPSec is working good


What must I do to make this working look add the image.
The green network is working fine (have no problems)

Oh… I can do a ping to 192.169.x.x in the IPFire (command line) on the Office side.

You should change the IP Range of the orange network because 192.169.0.* is a public assigned (RGNET LLC).

Have you configured the second range to the IPSec connection on both sides?

2 Likes


A temporary Firewall rule that no ports are blocked

Is it possible that when I ping a IP 192.169.x.x that is through the VPN and go’s to the orange network.
Or must I make a new VPN connection?

IPFire support more than one IP range in IPSec VPN’s so it should be enough to add the second range to the tunnel (local or remote subnet 192.168.32.0/24,192.169.0.0/24 )

Oke Sorry I make a mistake it’s a rangs 192.168.0.0/24 in the orange network.

I have on both site’s add a second subnet but I cannot ping a device (jet)



Add also a firewall rule

Question.
The orange network have an Ip address of 192.168.0.200/24 and this subnet has access to an subnet of 192.169.0.0/16 this subnet are where the devices are
what must I put in the IPSec settings?

To be exactly: 192.168.0.200 is part of the network 192.168.0.0/24.
192.168.0.200/24 is identical to 192.168.0.0/24.
Or did you mean 192.168.0.200/32? But this isn’t a (sub)net, but a single device.

I have now configured…


On the Office site I can ping an device 192.169.137.246 but not on the Cloud site.

Also I have on the Office site make a static route to:
192.169.0.0/16 gateway 192.168.0.8
This is working
but not from the Cloud site

If I do a tracepath on de IPFire on the Cloud site it is not going through the vpn.

[root@IPFirewall ~]# tracepath 192.169.137.246
1?: [LOCALHOST] pmtu 1400
1: gateway 0.215ms
1: gateway 0.052ms
2: 100.70.128.2 0.325ms
3: r1fra2.core.init7.net 1.150ms
4: r1fra2.core.init7.net 1.290ms asymm 3
5: r2zrh2.core.init7.net 8.932ms
6: r1zrh9.core.init7.net 7.311ms

On the Office site works

[root@ipfire ~]# tracepath 192.169.137.246
1?: [LOCALHOST] pmtu 1500
1: 192.168.0.8 0.666ms asymm 56
1: 192.168.0.8 0.482ms asymm 56
2: no reply
3: no reply
4: no reply
5: no reply
6: 246.137.169.192.host.secureserver.net 2056.801ms reached
Resume: pmtu 1500 hops 6 back 6

The problem is that the subnet 192.169.0.0/16 is from an radius server and is accessable in our network.
this are the devices we will connect to.

After reconfiguring and making adjustments it works now
:stuck_out_tongue_winking_eye: :+1: :heavy_check_mark:

Hi @firewall,

I have a similar problem to yours :wink:
https://community.ipfire.org/t/ipfire-dmz-network-and-vpn-ipsec/8993

Hi @firewall
What firewall rules do you have in place ?
Thanks

I have in the IPSec settings by “remote subnet” add an second ip ranges 10.0.100.0/24
In the IPFire on the other side of the vpn.


And add this see image on this site
Also add a static route.

Look here at my configuration: https://community.ipfire.org/t/ipfire-dmz-network-and-vpn-ipsec/8993

I also put the rule like you in the Ipfire config.
But the packets do not go from the DMZ to Amazon AWS and vice versa.
I don’t understand what’s wrong :smiling_face_with_tear:
I can see the requests (ICMP in my case) arriving on my firewall but they are not directed to the machines concerned.

Here are the network and IP concerned:
DMZ firewall interface is 192.168.5.1
DMZ machine is: 192.168.5.12
AWS machine is: 172.18.6.12

From my Green interface…I have no problem reaching the AWS network. The problem is just to my DMZ or my Wifi network (Blue).

Should I add a static route ?
I don’t see what route I should put since the firewall knows how to route the traffic to the concerned networks (DMZ, BLUE, GREEN and AWS ipsec).

Any ideas ?

My problem was that a IP ranges 192.169.0.* is a public assigned (RGNET LLC) address.
It will not through the firewall it’s go’s direct to internet.
I tryed with a static route that it go through the IPSec but it will not work.

Now I use an another IP rangs 10.0.100.x it works fine.

1 Like

This shows once more, that it isn’t easy to build a firewall solution with IPFire without obeying the basic rules and definitions. Here private IP networks == { 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 } :wink:

See also

1 Like