Hey there,
I'm running out of ideas what could cause this problem...
Site A:
AVM FritzBox, Firmware 06.51
Local Network: 10.10.0.0/24
Site B:
ERLite, Firmware 1.9
Local Network: 192.168.110.0/24 (en1)
VLANs (en1.120, en1.130, en1.140, en1.190)
The VPN tunnel is up and I can ping the gateways and devices in both directions. However, when trying to access the web interfaces of a device no traffic goes through.
FritzBox VPN Config:
{
enabled = yes;
conn_type = conntype_lan;
name = "XXXX";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "XXXX";
keepalive_ip = 0.0.0.0;
localid {
fqdn = "XXXX";
}
remoteid {
fqdn = "XXXX";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "XXXX";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 10.10.0.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.110.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.110.0 255.255.255.0",
"permit ip any 192.168.120.0 255.255.255.0",
"permit ip any 192.168.130.0 255.255.255.0",
"permit ip any 192.168.140.0 255.255.255.0",
"permit ip any 192.168.190.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
ERL VPN Config:
auto-update 60
auto-firewall-nat-exclude enable
disable-uniqreqids
esp-group FOO0 {
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer XXXX {
authentication {
id @XXXX
mode pre-shared-secret
pre-shared-secret XXXX
remote-id @XXXX
}
connection-type initiate
ike-group FOO0
local-address XXXX
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.110.0/24
}
protocol all
remote {
prefix 10.10.0.0/24
}
}
tunnel 2 {
esp-group FOO0
local {
prefix 192.168.120.0/24
}
remote {
prefix 10.10.0.0/24
}
}
tunnel 3 {
esp-group FOO0
local {
prefix 192.168.130.0/24
}
remote {
prefix 10.10.0.0/24
}
}
tunnel 4 {
esp-group FOO0
local {
prefix 192.168.140.0/24
}
remote {
prefix 10.10.0.0/24
}
}
tunnel 5 {
esp-group FOO0
local {
prefix 192.168.190.0/24
}
remote {
prefix 10.10.0.0/24
}
}
}
}
ERL Firewall:
all-ping enable
broadcast-ping disable
group {
address-group ROUTER_ADDRESSES {
address 192.168.120.1
address 192.168.130.1
address 192.168.140.1
address 192.168.190.1
address 192.168.110.1
description "Router Group"
}
network-group SITE2SITE_NETS {
description "Remote Group"
network 10.10.0.0/24
}
network-group VLAN_NETS {
description "VLAN Group"
network 192.168.120.0/24
network 192.168.130.0/24
network 192.168.140.0/24
network 192.168.190.0/24
network 192.168.110.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "Internet > LAN"
enable-default-log
rule 10 {
action accept
description "Allow Established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "Internet > Gateway"
enable-default-log
rule 10 {
action accept
description "Accept related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action drop
description "Drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 31 {
action accept
description "Allow VPN"
destination {
group {
network-group VLAN_NETS
}
}
ipsec {
match-ipsec
}
log enable
protocol all
source {
group {
network-group SITE2SITE_NETS
}
}
state {
established enable
invalid disable
new enable
related enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
show vpn ipsec sa:
peer-XXXX-tunnel-1: #1, ESTABLISHED, IKEv1, 5f24492c15402673:5a6214b49027bd90
local 'XXXX' @ REMOTE_WANIP
remote 'XXXX' @ LOCAL_WANIP
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 2203s ago, reauth in 25936s
peer-XXXX-tunnel-3: #3, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
installed 1468 ago, rekeying in 1219s, expires in 2133s
in cfe5449e, 380 bytes, 5 packets, 1465s ago
out 88a726d6, 252 bytes, 3 packets, 1465s ago
local 192.168.130.0/24
remote 10.10.0.0/24
peer-XXXX-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
installed 1456 ago, rekeying in 1155s, expires in 2144s
in c0b4956a, 424 bytes, 7 packets, 1122s ago
out 50fa9f1b, 5772 bytes, 6 packets, 1122s ago
local 192.168.110.0/24
remote 10.10.0.0/24
Any ideas?
Thanks!