IPSEC between Zentyal and Sonicwall not working

[rahul_dhakan]

Hi,

I have configured site to site VPN between Zentyal (my gateway at office 1) and Sonicwall (my gateway at office 2). Tunnel gets up as well traffic can pass from Zentyal to Sonicwall but traffic can not pass through Sonicwall to Zentyal. I guess there is something wrong with IPTABLES rules. I have allowed IPSEC - any - any from my external interface but still it is not getting through. Any help on this is highly appreciated.


thanks

[christian]

Does it mean you can see dropped packets in FW log ?

[rahul_dhakan]

Correct, I can see DROP packets in logs. Any help with iptables rules for only IPSEC please. My Zentyal local subnet is 192.168.30.0/24 and Sonicwall local subnet is 192.168.32.0/20. You can consider X.X.X.X as public IP for Zentyal and Y.Y.Y.Y as public IP for Sonicwall.

[christian]

Correct, I can see DROP packets in logs. Any help with iptables rules for only IPSEC please. My Zentyal local subnet is 192.168.30.0/24 and Sonicwall local subnet is 192.168.32.0/20. You can consider X.X.X.X as public IP for Zentyal and Y.Y.Y.Y as public IP for Sonicwall.

    I really don't get you. Sorry.
If you see dropped packet, is there anything preventing your to add, using GUI, FW rule that will allow such packets to go through, assuming these packets are those you want to authorize, of course 

[rahul_dhakan]

I have allowed IPSEC from GUI on external interface for ANY - ANY, Please help If I am missing anything and need to add.

[rahul_dhakan]

Please check the attached screenshot of DROP packages, I am adding custom allow rules from external interface to internal interface but it does not work and I think it conflicts with Zentyal default firewall rules. By the way where does default Zentyal firewall rules logs saved?

I can't go live without fixing this, any help would be highly appreciated.


Thanks !

[christian]

Indeed some packets are dropped but I can't see why this would be linked with IPSEC ?
In fact, due to lack of detailed information, I don't know what eth2 and eth0 are neither what the IP addressing plan is.

In suppose 192.168.30.0/24 is your LAN but I'm quite confused with source IPs as show in you log report. All are in the RFC1819 range but from various subnets.

You should perhaps start with some technical description of your IT landscape otherwise I doubt anyone can have any clever advice.
 

[rahul_dhakan]

Ok, Let me give you full information and here is my setup details:

Office 1: Zentyal Gateway
---------------------------------------------------------
Eth0: LAN: 192.168.34.0/24
Eth1: WAN 1
Eth2: WAN 2 - IPSEC is configured on this WAN

Firewall rules configured from GUI on Zentyal:
internal networks to Zentyal -> Allow Any Any
internal networks -> Allow Any Any
external networks to Zentyal -> Allow Any IPSEC
Traffic coming out from Zentyal -> Allow Any Any
-----------------------------------------------------------
Office 2 - Sonicwall Gateway
Lan subnet: 192.168.32.0/20
Allow IPSEC Any
-----------------------------------------------------------

I have configured site to site IPSEC between Zentyal and Sonicwall, tunnel gets up as well I can ping from Zentyal internal lan 192.168.30.0/24 -> 192.168.32.0/20 without any DROP on Sonicwall. So sonicwall rules are fine.

Now when I try to access from 192.168.32.0/20 -> 192.168.30.0/24 from Sonicwall to Zentyal - packets are getting dropped on Zentyal firewall as you can see in screenshot. Packets are coming through WAN2 which is configured on ETH2 <-> Zentyal LAN which is configured on ETH0.

I am looking for iptables/firewall rules either from command line or from GUI to allow this traffic from WAN2 to LAN on Zentyal.

Hope this information will clear your doubts.

[christian]

Clearer.
Then look at your FW log:
- you need to accept incomings packets from 192.168.32.0/20 to LAN (e.g. access to 192.168.30.106 on port 80 is not authorized. Or if it is, then there is a bug somewhere)
- you are probably trying to ping from 192.168.46.150 but incoming ICMP is not authorized.

[rahul_dhakan]

You are correct, I have already added below rule from Zentyal GUI:
External networks to Zentyal - 192.168.32.0/20 - Any - Allow
but still same problem, 192.168.46.150 is my local machine and I tried even to allow this with manual rules from iptables but unable to do so. Looking forward for your response.

[christian]

problem is not to allow from 192.168.32.0/20 to Zentyal but to your internal network

[rahul_dhakan]

for internal network it is already Allow - Any (Source) - Any (Service) however I have added one rule above to that for Allow 192.168.32.0/20 - Any which logically does not make any sense. Result is also same - it still drops the packages. I have attached the screenshot for the same.

[christian]

however I have added one rule above to that for Allow 192.168.32.0/20 - Any which logically does not make any sense. Result is also same - it still drops the packages.

I perhaps don't understand but it looks like you mix-up rules from internal to Zentyal, from internal to internet and also rules from "out-side" to LAN
If connections from outside are dropped at FW level and if you expect such session to be accepted, it does need FW rule isn't it?

[rahul_dhakan]

It drops IPSEC traffic from remote subnet only however I have already allow ANY ANY for internal network. So I am blank and stuck. Can not make this Zentyal live at other office unless I get to the solution.

[christian]

I have already allow ANY ANY for internal network.

What you set for internal network doesn't matter as problem we are looking at is from remote (external) connection to internal.