SnapGear SG565 Router Manual PDF (Setup & Configuration Guide)

Page 191 / 249 Scroll up to view Page 186 - 190

Virtual Private Networking

186

Set up LMHOST files on remote hosts to resolve names to IP adresses.

•

Symptom:

Tunnel comes up but the application does not work across the tunnel.

Possible cause:

There may be a firewall device blocking IPSec packets.

The MTU of the IPSec interface may be too large.

The application uses broadcasts packets to work.

Solution:

Confirm that the problem is the VPN tunnel and not the application being

run.

These are the steps you can try to find where the problem is (it is assumed that

a network to network VPN is being used):

Ping from your PC to the Internet IP address of the remote party (it assumed that the

remote party is configured to accept incoming pings)

Ping from your PC to the LAN IP address of the remote party.

Ping from your PC to a PC on the LAN behind the remote party that the tunnel has

been configured to combine.

If you cannot ping the Internet IP address of the remote party, either the remote party

is not online or your computer does not have its default gateway as the CyberGuard

SG appliance.

If you can ping the Internet IP address of the remote party but not the

LAN IP address, then the remote party's LAN IP address or its default gateway has

not been configured properly.

Also check your network configuration for any devices

filtering IPSec packets (protocol 50) and whether your Internet Service Provider is

filtering IPSec packets.

If you can ping the LAN IP address of the remote party but

not a host on the remote network, then either the local and/or remote subnets of the

tunnel settings have been misconfigured or the remote host does not have its default

gateway as the remote party.

If you can ping across the tunnel, then check if the MTU of the IPSec interface is

allowing packets to go through.

Reduce the MTU if large packets are not being sent

through the tunnel.

If the application is still not working across the tunnel, then the problem is with the

application.

Check that the application uses IP and does not use broadcast packets

since these will not be sent through the CyberGuard SG appliance.

You should

contact the producer of the application for support.

Page 192 / 249

Virtual Private Networking

187

GRE

The GRE configuration of the CyberGuard SG appliance allows you to build GRE tunnels

to other devices that support the

Generic Routing Encapsulating

protocol.

You can build

GRE tunnels to other CyberGuard SG appliances that support GRE, or to other devices

such as Cisco equipment.

GRE tunnels are useful for redistributing IPv6 or broadcast and multicast traffic across a

VPN connection.

It is also useful for carrying unsupported protocols such as IPX or

Appletalk between remote IP networks.

Warning

GRE tunnels are not secure unless they are run over another secure protocol.

Using a

GRE tunnel that runs over the Internet, it is possible for an attacker to put packets onto

your network.

If you want a tunneling mechanism to securely connect to networks, then

you should use IPSec, or tunnel GRE over either IPSec or PPTP tunnels.

An example setup that describes using GRE to bridge a network over an IPSec tunnel is

described in

GRE over IPSec

.

Setting up a GRE tunnel

In this example we will connect two office networks using a GRE tunnel between two

CyberGuard SG appliances.

One is located in Brisbane, the other in Slough.

The two

networks have the following configuration:

CyberGuard SG appliance in Brisbane

Internet address:

203.23.45.6

LAN address:

192.168.1.1

LAN:

192.168.1.0 / 255.255.255.0

CyberGuard SG appliance in Slough

Internet address:

195.45.67.8

LAN address:

10.1.0.1

LAN:

10.1.0.0 / 255.255.0.0

Page 193 / 249

Virtual Private Networking

188

On the Brisbane end, click

GRE Tunnels

from the

VPN

menu.

Enter the following

details:

GRE Tunnel Name:

to_slough

Remote External Address:

195.45.67.8

Local External Address:

203.23.45.6

Local Internal Address:

192.168.1.1

Click

Add

.

Click

Add/Remove

under

Remote Networks

and enter:

Remote subnet/netmask:

10.1.0.0

/

255.255.0.0

Click

Add

.

The Brisbane end is now set up.

Figure 9-26

On the Slough end, click

GRE Tunnels

from the

VPN

menu.

Enter the following details:

GRE Tunnel Name:

to_bris

Remote External Address:

203.23.45.6

Local External Address:

195.45.67.8

Local Internal Address:

10.1.0.1

Page 194 / 249

Virtual Private Networking

189

Click

Add

.

Click

Add/Remove

under

Remote Networks

and enter:

Remote subnet/netmask:

192.168.1.0

/

255.255.255.0

Click

Add

.

The GRE tunnel between the two networks is now set up.

Tunnels may be

Disable

d,

Delete

d or

Edit

ed from the main table of GRE tunnels.

A few further things of

note are:

GRE Tunnel Name

The name is arbitrary.

Remote External Address

This may also be in the form of a DNS name, e.g. a

dynamic DNS name.

Local External Address

This may also be an Internet port alias address, or

the address of an secondary Internet connection

through the DMZ port.

Remote subnet/netmask

Multiple networks can be routed through a single

GRE tunnel.

Add them through

Add/Remove

under

Remote Networks

.

GRE over IPSec

In this example we will bridge the 10.11.0.0 / 255.255.0.0 network between Brisbane and

Slough endpoints described in the previous section.

For each end, repeat the following

steps.

Set up the LAN interface to bridge.

Select

Network Setup

from the left hand menu.

For

the

LAN

port’s

Configuration

, select

Change to Bridged LAN

.

Reboot the unit if

prompted to do so.

Give the LAN interface bridge a secondary address that is part of the network we want

bridged across the tunnel.

Select

Network Setup

from the left hand menu, then

Advanced

from the Network Setup tabs.

Scroll down to

Interface Aliases

.

Select

Bridge 0 Port

from

Interface

and enter an IP

address that is

not

part of the network to bridge across the tunnel

, and

not

on the same

network as any of the CyberGuard SG appliance’s other interfaces

.

Figure 9-27

Page 195 / 249

Virtual Private Networking

190

Enter the

IP Address

/

Netmask

of

10.254.0.1

/

255.255.255.255

at the Slough end, and

10.254.0.2

/

255.255.255.255

at the Brisbane end.

Click

Apply

and reboot the unit if

prompted to do so.

Note

The alias IP addresses are essentially dummy addresses and can be anything that does

not conflict with your existing network infrastructure.

Create an IPSec tunnel between Brisbane and Slough.

Select

IPSec

from the left hand

menu and

Add new tunnel

.

For a complete overview of all available options when

setting up an IPSec tunnel, please refer to the

IPSec

section earlier in this chapter.

Take note of the following important settings:

Set the

local party

as a

single network behind this appliance

.

Set the

remote party

as

single network behind a gateway

.

For the Slough end’s

Phase 2 Settings

, specify the

Local Network

as

10.254.0.1

/

255.255.255.255

and the

Remote Network

as

10.254.0.2

/

255.255.255.255

.

For the

Brisbane end’s

Phase 2 Settings

, specify the

Local Network

as

10.254.0.2

/

255.255.255.255

and the

Remote Network

as

10.254.0.1

/

255.255.255.255

.

Note the

32 bit netmasks (255.255.255.255) being used.

Figure 9-28

Rate

Popular SnapGear Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share