site to site VPN via zeroshell

Home Page Forums Network Management ZeroShell site to site VPN via zeroshell

This topic contains 0 replies, has 0 voices, and was last updated by  devplan 9 years, 2 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #42572

    devplan
    Member

    Hi,

    I’m trying to establish a site to site VPN basically from router to router.

    For added security I want to place one of those routers (where the VPN ends) behind zeroshell. I did some little research on this on the net and found out that I would need to configure zeroshell to forward specific ports, I believe port 500 and 4500.

    However upon configuring this under ROUTER > Virtual Server it does not work.

    Currently I’m at a loss as to why this does not work and would need some help on this.

    I even setup a test locally whereby I connected my 2 VPN routers via 2 other router (these both had the mentioned ports forwarded) and it perfectly worked. However when trying to implement this for real via zeroshell it does not work.

    Any help or suggestions would be appreciated.

    I am running Zeroshell 1.0.beta12

    Output of iptables -L -v

    root@zeroshell root> iptables -L -v
    Chain INPUT (policy ACCEPT 3946 packets, 494K bytes)
    pkts bytes target prot opt in out source destination
    4519 540K SYS_INPUT all -- any any anywhere anywhere
    31 1632 SYS_HTTPS tcp -- any any anywhere anywhere tcp dpt:http
    87 12341 SYS_HTTPS tcp -- any any anywhere anywhere tcp dpt:https
    291 20092 SYS_SSH tcp -- any any anywhere anywhere tcp dpt:ssh
    0 0 ACCEPT udp -- ETH01 any anywhere anywhere udp spt:isakmp dpt:isakmp
    0 0 ACCEPT tcp -- ETH01 any anywhere anywhere tcp dpt:ssh
    0 0 ACCEPT udp -- ETH01 any anywhere anywhere udp spt:ipsec-msft dpt:ipsec-msft
    0 0 ACCEPT tcp -- ETH01 any anywhere anywhere tcp spt:isakmp dpt:isakmp
    0 0 ACCEPT tcp -- ETH01 any anywhere anywhere tcp spt:ipsec-msft dpt:ipsec-msft

    Chain FORWARD (policy ACCEPT 1167K packets, 969M bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 2350 packets, 362K bytes)
    pkts bytes target prot opt in out source destination
    2555 377K SYS_OUTPUT all -- any any anywhere anywhere

    Chain NetBalancer (0 references)
    pkts bytes target prot opt in out source destination

    Chain SYS_HTTPS (2 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    118 13973 ACCEPT all -- any any anywhere anywhere

    Chain SYS_INPUT (1 references)
    pkts bytes target prot opt in out source destination
    22 1867 ACCEPT all -- lo any anywhere anywhere
    0 0 ACCEPT udp -- any any anywhere anywhere udp spt:domain state ESTABLISHED
    0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http state ESTABLISHED
    0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:8245 state ESTABLISHED
    142 10792 ACCEPT udp -- any any anywhere anywhere udp spt:ntp state ESTABLISHED
    4355 528K RETURN all -- any any anywhere anywhere

    Chain SYS_OUTPUT (1 references)
    pkts bytes target prot opt in out source destination
    22 1867 ACCEPT all -- any lo anywhere anywhere
    0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
    39 1560 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
    0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8245
    144 10944 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
    2350 362K RETURN all -- any any anywhere anywhere

    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    291 20092 ACCEPT all -- any any anywhere anywhere

    Output of iptables -t nat -L -v

    root@zeroshell root>  iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 26738 packets, 2555K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- ETH01 any anywhere anywhere tcp dpt:pptp to:192.168.0.229:1723
    0 0 DNAT udp -- ETH01 any anywhere anywhere udp dpt:pptp to:192.168.0.229:1723
    0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:isakmp to:192.168.0.100:500
    2 272 DNAT udp -- any any anywhere anywhere udp dpt:isakmp to:192.168.0.100:500
    0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:ipsec-msft to:192.168.0.100:4500
    0 0 DNAT udp -- any any anywhere anywhere udp dpt:ipsec-msft to:192.168.0.100:4500
    0 0 DNAT udp -- ETH01 any anywhere anywhere udp dpt:isakmp to:192.168.0.100:500
    0 0 DNAT udp -- ETH01 any anywhere anywhere udp dpt:ipsec-msft to:192.168.0.100:4500

    Chain POSTROUTING (policy ACCEPT 27 packets, 1649 bytes)
    pkts bytes target prot opt in out source destination
    24336 2214K SNATVS all -- any any anywhere anywhere
    22 4032 MASQUERADE all -- any ETH00 anywhere anywhere
    24288 2209K MASQUERADE all -- any ETH01 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 169 packets, 15159 bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    rgds, devplan

    #50885

    ppalias
    Member

    Your setup is correct. Could you provide us with more information about the VPN you want to setup? Which routers terminate the VPN? You can also create a secure VPN with zeroshell in order to avoid using 2 more routers.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.