PDA

View Full Version : Problem with routing on SecuRemote



Vladimir75
2006-05-04, 09:10
I have following network topology:
________________________________________
VPN Gateway (NG AI R55 HFA17)
External interface 192.168.60.1 255.255.255.0
Internal interface 192.168.50.4 255.255.255.0
________________________________________

External host with SecuRemote (R55 HFA03)
192.168.60.33 255.255.255.0
________________________________________

Intrenal host
192.168.50.2 255.255.255.0
________________________________________


I have created a group for my SecuRemote users.
Then I have created a group(internal_hosts) consisting of the internal address (192.168.50.2) of the host I wanted to allow my SecuRemote users access to . Then I specified this group as the firewall's encryption domain.

Next I have configured RemoteAccessCommunity and following rule:

Source: Any

Destination: internal_hosts

VPN: RemoteAccessCommunity

Service: Any

Action: Accept



then I installed SecuRemote on the client PCs and configured it as transparent mode . Then SecuRemote connected to the firewall to download site information. Obtained userc.c file contains following information:

:gws (
: (192.168.60.1.fw3
:obj (
: (192.168.50.4)
)
:keymanager (
:type (refobj)
:refname ("#_192.168.60.1")
)
:allowed_interface_ranges (
: (192.168.60.1
:allowed_range (
: (
:type (machines_range)
:ipaddr_first (0.0.0.0)
:ipaddr_last (192.168.49.255)
)
: (
:type (machines_range)
:ipaddr_first (192.168.51.0)
:ipaddr_last (255.255.255.255)
)
)
:is_ext (true)
:is_natted (false)
)
: (192.168.50.4
:allowed_range (
: (
:type (machines_range)
:ipaddr_first (192.168.50.0)
:ipaddr_last (192.168.50.255)
)
)
:is_ext (false)
:is_natted (false)
)
)
:resolve_interface_ranges (true)
:ifaddrs (
: (192.168.50.4)
: (192.168.60.1)
)
:topology (
: (
:name (192.168.60.1.fw3.0)
:type (host)
:ipaddr (192.168.50.2)
:ipmask (255.255.255.255)
)
: (
:name (192.168.60.1.fw3.1)
:type (host)
:ipaddr (192.168.50.4)
:ipmask (255.255.255.255)
)
: (
:name (192.168.60.1.fw3.2)
:type (host)
:ipaddr (192.168.60.1)
:ipmask (255.255.255.255)
)
)


And then when I tried to ping the host 192.168.50.2 from the host 192.168.60.33 I have received the massage "Destination host unreachable", but when I have added route to 192.168.50.0 in routing table for the host 192.168.60.33 ( route add 192.168.50.0 mask 255.255.255.0 192.168.60.1) VPN tunnel have established and the host 192.168.60.33 have received echo-response.

My question is "Whether I should see new route in routing table on the host(192.168.60.33) after installation SecureRemote?"
and if answer is no then next question "why don't routing process on SecuRemote works?"

Thanks in advance

chillyjim
2006-05-04, 11:01
Yes you should see the securemote routes with a "netstat -rn" or "route print" (if on a win32 box).

Do you have the windows "firewall" running?

One thing to note, I have seen it where SR doesn't work right if the client and gateway are on the same network. I don't know why, and it is very unpredictable, but I have seen it.

Vladimir75
2006-05-05, 06:12
I have understood this problem, when vpn gateway and SR are on the same network
I want to notice that I did not configure neither a default route nor a concrete route to 50 networks( It is very important !!!!)
After installation SR the protocols stack looks as follows :
__________
|real protocol|
|_________ |
|FW adapter |
|_________ |
|FW protocol|
|__________|
|real adapter|
|__________|


now when the package passes through a stack , it is routed by host routing table . Default route and route to 192.168.50.0 is not in routing table, therefore host does not know where to route packet for 192.168.50.0 and drop this packet with the message "Destination host Unreacheble"
But if there add route to 192.168.50.0 or any (!!!!) default route ,then packet get to 'FW adapter' level , where SecuRemote kernel handles this packet.

The SecuRemote kernel can determine if an outgoing or incoming packet is going to or coming from an encryption domain and so should be encrypted or decrypted.

The SecuRemote kernel also knows with which SecuRemote Server the encryption will take place, and invokes the daemon in order to exchange a key with the SecuRemote Server.

Thus the package will be directed to vpn gateway by SR , most important that was ANY default route (it is admissible wrong) or a route to 192.168.50.0