Hi all,
I've been trying to set up an IPsec tunnel between an ERL and a Barracuda NGFW since nearly 2 weeks but can't get it to work, that all traffic from ERL site goes to the Barracuda site.
My config on the ERL:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow IPSEC ESP"
log disable
protocol esp
}
rule 21 {
action accept
description "Allow ICMP"
log disable
protocol icmp
}
rule 22 {
action accept
destination {
port 443
}
protocol tcp
}
rule 40 {
action accept
description "Allow IPSEC IKE"
destination {
port 500
}
protocol tcp_udp
}
rule 50 {
action accept
description "Allow SSH"
destination {
port 22
}
protocol tcp
}
rule 70 {
action accept
description "Allow IPSEC IKE"
destination {
port 4500
}
protocol udp
}
rule 80 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description "Internet - WAN"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
address 10.49.114.129/25
description Local
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2
wan-interface eth0
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.49.247.20 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name ISSDE {
authoritative disable
subnet 10.49.114.128/25 {
default-router 10.49.114.129
dns-server 10.49.128.166
domain-name region.iss.biz
lease 86400
start 10.49.114.190 {
stop 10.49.114.254
}
}
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "Exclude IPSEC traffic from eth0"
destination {
address 87.193.138.172
}
exclude
outbound-interface eth0
protocol all
source {
address 10.49.114.128/25
}
type masquerade
}
rule 5001 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
config-management {
commit-revisions 10
}
domain-name region.iss.biz
host-name ISSDERDxx114129
login {
user [...] {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
user ubnt {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Berlin
traffic-analysis {
dpi enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
lifetime 3600
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
lifetime 28800
proposal 1 {
dh-group 14
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 87.193.138.172 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description ISSDEHQ
ike-group FOO0
ikev2-reauth inherit
local-address 0.0.0.0
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 10.49.114.128/25
}
protocol all
remote {
prefix 0.0.0.0/0
}
}
}
}
}
}
show vpn ipsec sa
peer-87.193.138.172-tunnel-1: #1, ESTABLISHED, IKEv1, a195cd7e2d83fa6c:5cd9c41d91a910c4
local '192.168.0.12' @ 192.168.0.12
remote '87.193.138.172' @ 87.193.138.172
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 1147s ago, reauth in 26749s
peer-87.193.138.172-tunnel-1: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_2048
installed 1147 ago, rekeying in 1780s, expires in 2454s
in cb487699, 5884 bytes, 77 packets, 4s ago
out 16f2c23a, 5884 bytes, 77 packets, 4s ago
local 10.49.114.128/25
remote 0.0.0.0/0
show ip route table all
default via 192.168.0.254 dev eth0 table 220 proto static src 10.49.114.129 default via 192.168.0.254 dev eth0 proto zebra 10.49.114.128/25 dev eth2 proto kernel scope link 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.12 broadcast 10.49.114.128 dev eth2 table local proto kernel scope link src 10.49.114.129 local 10.49.114.129 dev eth2 table local proto kernel scope host src 10.49.114.129 broadcast 10.49.114.255 dev eth2 table local proto kernel scope link src 10.49.114.129 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 192.168.0.0 dev eth0 table local proto kernel scope link src 192.168.0.12 local 192.168.0.12 dev eth0 table local proto kernel scope host src 192.168.0.12 broadcast 192.168.0.255 dev eth0 table local proto kernel scope link src 192.168.0.12 unreachable default dev lo proto kernel metric 4294967295 error -128 fe80::/64 dev eth0 proto kernel metric 256 fe80::/64 dev eth2 proto kernel metric 256 unreachable default dev lo proto kernel metric 4294967295 error -128 local ::1 dev lo table local proto none metric 0 local fe80:: dev lo table local proto none metric 0 local fe80:: dev lo table local proto none metric 0 local fe80::46d9:e7ff:fe9e:f202 dev lo table local proto none metric 0 local fe80::46d9:e7ff:fe9e:f204 dev lo table local proto none metric 0 ff00::/8 dev eth0 table local metric 256 ff00::/8 dev eth2 table local metric 256 unreachable default dev lo proto kernel metric 4294967295 error -128
show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via 192.168.0.254, eth0
S 0.0.0.0/0 [1/0] via 10.49.247.20 inactive
C *> 10.49.114.128/25 is directly connected, eth2
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.0.0/24 is directly connected, eth0I'm stuck, I read a lot of threads on the board, but can't get it to work.
I hope, someone can help me to get on track.
Thanks in advance!