Results 1 to 6 of 6
  1. #1
    Untangler
    Join Date
    Apr 2010
    Posts
    32

    Default Issue IPSec VPN -> external interface

    Hi,

    I have an issue, I connected the IPSec tunnel with a Draytek (we normally used Draytek-Draytek tunneling, now we use Untangle-Draytek (For test))

    All works perfectly, but we have 1 issue.
    Our Untangle also is a NAT Router where a webmail site is behind, for example:

    http://webmail.online3000.nl
    External 217.67.239.25 IP from Untangle which redirects port 80 to a internal server behind the router.

    The issue is, the office with the Draytek which is connected to the Untangle in the datacenter, cannot connect anymore to this website (external interface of untangle)

    When I connect on internal IP to webmail, then it works. But when I connect from the office with the Draytek to the EXTERNAL INTERFACE of Untangle then it doesn't work!

    Do you have any idea what Im doing wrong? (or is it a bug?)

    Like to hear and I hope you understand.

    Regards,

    Marco de Groot
    HD Services

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    The Draytek is routing all packets over the VPN tunnel. Untangle clients cannot use port forwards on the Untangle server under normal circumstances.

    Double check your port forward rule to ensure you don't have a source interface directive, if you do, you aren't coming in on external so it won't work.

    Step 2

    In your case, the change to force hairpin nat may cause issues with the IPSec, I haven't tested this yet. You may want to try it? Config -> Networking -> Advanced -> General

    Untick "Only NAT WAN Traffic"

    If this solution seems to cause other issues with VPN traffic, the only remaining solution is to fix your DNS to resolve the webmail.online3000.nl name to the appropriate internal address.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Apr 2010
    Posts
    32

    Default

    Hey Sky-knight

    Thanks for reply.
    I did check NAT rule, it's a SIMPLE rule, not ADVANCED. Would it help if I make it advanced and make any changes to the rule with the source interface or so?

    I do not understand what Hairpin nat is, can you explain this?

    I have unticked Only NAT WAN Traffic,
    but still cannot reach external interface

    I can not even PING Untangle on WAN interface, from the office?

    There is something Untangle does different than Draytek, cause Draytek-Draytek doesn't has this issue.

    I know I can change internal DNS that easy, but the problem is, we have several of this DNS thingies, so hard to stick this by.

    I hope we can work it out, to fix it!
    Is this same behaviour with a CISCO router? or other vendors?
    Or only Draytek issue?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Yes Untangle's VPN implementation is very different than the Draytek, it's different than everything.

    That's why it's Untangle, it's different, we hope in the better direction, but life is always interesting.

    Hairpin NAT / NAT Reflection are two terms that describe the same process. Traffic that originates from a network, passes through a NAT engine, impacts on the public interface attached to that NAT engine, and is then restranslated and forwarded to an internal destination.

    Imagine your packets making a U-Turn inside the router. Untangle doesn't allow this behavior by default. Why? Because it's considered a bad configuration, and a security problem. We can debate the merits of that thinking, but it's backed by Cisco... so...

    Anyway, the only NAT WAN Traffic rule prevents hairpin NAT, but it also allows multiple Internal segments to operate behind Untangle and route to each other without engaging NAT. So if you turn that option off, you can potentially break other internal communications.

    As for the port forward rule, make it advanced. I have zero use for "simple" rules. They don't properly describe what is configured. If you make that rule advanced, and it has a source interface directive, that is your issue. That directive needs removed.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Apr 2010
    Posts
    32

    Default

    this is the advanced rule, see link
    http://imageshack.us/photo/my-images...tuntangle.jpg/

    everything seems ok right?

    any other suggestions?

    Regards,

    Marco

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Yes that rule should be working inside. If after all that it still isn't working, you're just going to have to configure your DNS servers to serve up the private IP address.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2