[RESOLVED] Telkom VPN-Lite + Smoothwall

AirWolf

AirWolf

Honorary Master
Joined
Aug 18, 2006
Messages
24,890
Reaction score
1,696
Location
Port Shepstone, KZN, RSA, EARTH
Head office with one branch (so far).

Head office has a smoothwall, branch does not.

Management approved Telkom VPN-Lite for VPN connection between the two site.

What would I need to do to access server behind Smoothwall at head office from branch?

ERP software involved here.
 
Last edited by a moderator:
Try portforwarding VNC/RDP ports and see if you can get in?

I have no idea what this VPN-lite is. Assuming that it's a tunnel of some sorts between you and your destination?

Also assuming both sides have static IP's...
 
Thanks for the feedback.

Turns out the technician had configured the routing tables in the routers incorrectly i.e. through the internet connection instead of the vpn connection.
 
AirWolf,
Thanks for coming back with the answer. Just for interest and education of course.

All you had to do was make sure the routing was correct? Nothing extra was needed?

Regards

Tim
 
Not quite that simple.

WAN diagram below.

WAN.jpg

Any pc can ping any of the routers 172 ip addresses - the routing tables sorted this problem out. The branch pc can see the server but can't access it.

I got the following on Smoothwall when the branch pc tried accessing the server:

Code: 
18:10:15	eth1 » -	UDP		 77.52.99.155		6881		10.0.9.10		44139
18:10:42	eth1 » -	UDP		 125.180.163.27		33228		10.0.9.10		44139
18:10:55	eth1 » -	UDP		 125.180.163.27		33228		10.0.9.10		44139
18:10:59	eth1 » -	UDP		 77.52.99.155		6881		10.0.9.10		44139
18:11:02	eth1 » -	UDP		 125.180.163.27		33228		10.0.9.10		44139
18:11:08	eth1 » -	UDP		 125.180.163.27		33228		10.0.9.10		44139
18:11:45	eth1 » -	UDP		 77.52.99.155		6881		10.0.9.10		44139

*10.0.9.10 is the Smoothwall red ip.

Each router has a normal internet connection and the vpn connection with static "public" ip.

The pcs within the HO lan have gateway as Smoothwall green ip and dns as server ip.
 
Last edited:
With regards to your ERP system, have you considered running the client(s) at the branches on a Remote Desktop/Terminal Server from the head office? This typically uses less bandwidth and means that you get a more graceful failure if your VPN connection drops at all - you only lose the remote session, not the session between the ERP client and server.

If the users at the branch are using a browser based UI for the ERP it may not be so much of an issue but if you have a dedicated client program, remote desktops is definately the way to go.
 
InvisibleJim said:
With regards to your ERP system, have you considered running the client(s) at the branches on a Remote Desktop/Terminal Server from the head office? This typically uses less bandwidth and means that you get a more graceful failure if your VPN connection drops at all - you only lose the remote session, not the session between the ERP client and server.

If the users at the branch are using a browser based UI for the ERP it may not be so much of an issue but if you have a dedicated client program, remote desktops is definately the way to go.
Click to expand...

It is for Pastel Evolution (not browser based).
 
fest3er said:
If he gets *public* IPs in the log when accesses to the server are supposed to be via VPN, the routing tables are still incorrect. I'd also say the firewalls are incorrect; the private data that is supposed to be protected with the VPN should *never* get to the internet). Or DNS is wrong; it may use public IPs instead of 172.x IPs.

How do the branch PC's 'see' the server? Is just one port needed for full communication? Or are several ports needed in one or both directions?
Click to expand...


Started from scratch on both routers with no internet connection - I'm guessing those public ips *may* have been for something else.

Tested with server on both sides of the Smoothwall: behind the Smoothwall - server not accessible by name or ip; bypassing the Smoothwall - server is accessible by ip from branch and Pastel works 100%.

"Seeing" the server under the network was only temporary - consultant had a software vpn activated and thereafter deactivated. On reboot it was no longer listed under network.

With the server back behind the Smoothwall, failed access does not show any details on the firewall log :confused:. With regards to the ports - I do not know.

Testing inside the headoffice, but outside the Smoothwall and the server is still not accessible.
 
Last edited:
I'm one step closer :).

Updated my Smoothwall to sp3, and installed full firewall control.

On the head office side:
I then gave my server (192.168.0.2) an alias on the red network (10.0.9.4), and added the forward rule from the red ip to green ip. With a pc in the red network (10.0.9.6) I am able to access the server via the red alias. The server proper ip was not accessible from red previously.

On the branch side:
From the branch pc (10.0.10.3) I am able to ping the H/O router (10.0.9.2) and pc on red network (10.0.9.6), but not the Smoothwall red ip (10.0.9.10) or server alias.

I only have the one forward rule as above.

Any ideas?
 
Bitbeisser said:
Unfortunately, there is not a single netmask involved mentioned.
My best WAG in this case is that you have identical if not at least over-lapping 10.x.x.x subnets on each side. That doesn't fly.

Each and every subnet in a Smoothwall setup, including remote ones via VPN need to be distinct and non-overlapping....

Ralf
Click to expand...

When creating the site in Telkom VPN lite it provides you with a class A subnet eg. 10.0.4.0 or 10.0.5.0 or 10.0.6.0 etc to be used on each new site.
 
fest3r said:
It should work; there's no SWE3 reason for it not to work. A false assumption is probably being made.

I can only suggest:
Go through the server's routing--and firewall if any--with a fine toothed comb; make no assumptions. It almost seems as though the server doesn't know where to send responses (has no default route).
Ensure that all necessary ports are forwarded to the smoothie. Make it the DMZ if necessary, receiving everything that isn't already spoken for.
Verify that the VPNs are, in fact, net-to-net and do carry the desired LANs.
If the VPN is OpenVPN or IPSEC, try configuring a VPN direct to SWE3, even if it tunnels through the other VPN.
If all else fails, *be* the routers and 'route' a single packet through the system using the configured 'rules' only. That is, make no assumptions.

Unless they failed Networking 101 and used a duplicated LAN address somewhere.
Click to expand...

The adsl router is has the adsl connection and vpn connection with DHCP on. Red IP on smoothwall is static (10.0.9.10) with gateway being router ip (10.0.9.2).

The adsl router has a routing table to route all private subnets through the vpn connection. When pinging the branch router (10.0.4.2) from inside the smoothwall (192.168.0.0 range of pcs) I receive:
"Reply from 10.0.9.10: Destination host unreachable"

Any pc on the red network does not have this problem.

Seems like the smoothwall is trying to find the ip and not sending the request to the router :(.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X