84.8. IPSEC
Prev Chapter 84. FAQ - Frequently Asked Questions Next

84.8. IPSEC

84.8.1. Why the outgoing traffic from CPX toward an IPSEC vpn is blocked?

Assuming to have:

  • an INSIDE tunnel whose traffic goes out through an OUTSIDE interface;

  • a NAT rule for the OUTSIDE interfaces used by the INSIDE tunnel.

The IP addresses belonging to that tunnel must not to be involved in the NAT rule.

To do that, apply the list "PublicIP" like explained below:

[11:03:45] ABILIS_CPX:d nat 

UPNP maps not present

Configured maps
-------------------------------------------------------------------------------
PR: [DESCR:]
    INAT:         ADD: SNET:              DNET:              ANET:
    ONAT:              SPO:               DPO:               APO:          PAT:
    SIP:  DIP:         PROT:              TOUT:
-------------------------------------------------------------------------------
0   IN            SRC  192.168.010.000/24 'PublicIP'         OUT-IP
    OUT                *                  *                  AUTO          YES
-------------------------------------------------------------------------------

The following is the configuration of IKE hosts and IKE clients:

[09:21:44] ABILIS_CPX:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              NATT:   XAUTH:
      AUTH:  HASH:    DH:      CIPHER: REM-IP:              SIDE:   MODE-CFG:
      XAUTH-USER:                      XAUTH-PWD:
-------------------------------------------------------------------------------
0     HOST1                            080.080.080.080      SYS     NO         
      PSK    MD5      MODP1024 3DES    *                    INSIDE  NO         
                                       
-------------------------------------------------------------------------------
1     HOST2                            080.080.080.080      SYS     NO         
      PSK    MD5      MODP1024 3DES    *                    INSIDE  NO         
                                       
-------------------------------------------------------------------------------

[09:21:50] ABILIS_CPX:d ike cli 

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-LOC:
     AH:              AH-AUTH:                 TUNNEL:      NET-REM:
     MODE-CFG-DNS:
-------------------------------------------------------------------------------
0    CLI1                             0        IPSEC        28800         YES
     YES  3DES        MD5             YES      YES          192.168.010.000/24
     NO               MD5                      YES          192.168.020.107/32
     SYS
-------------------------------------------------------------------------------
1    CLI2                             1        IPSEC        28800         YES
     YES  3DES        MD5             YES      YES          192.168.010.000/24
     NO               MD5                      YES          192.168.020.108/32
     SYS
-------------------------------------------------------------------------------

Create a list of public IP:

[10:50:18] ABILIS_CPX:list create PublicIP ru List_of_IP_Public_addresses

COMMAND EXECUTED 

[10:52:00] ABILIS_CPX:a list:publicip not.PrivateIpAdd

COMMAND EXECUTED 

[10:52:59] ABILIS_CPX:d list:publicip    

LIST:PublicIP             - RU                - Ref-Numb:0     Items-Numb:1    
     List_of_IP_Public_addresses
     --------------------------------------------------------------------------
     NOT.PrivateIpAdd
[Note]Note

The list "PrivateIpAdd" is automatically generated by Abilis and it contains the private IP address ranges.

[10:53:03] ABILIS_CPX:d list:privateipadd

LIST:PrivateIpAdd         - IR                - Ref-Numb:5     Items-Numb:4    
     Automatically_generated_Private_Networks_list_(ReadOnly)
     --------------------------------------------------------------------------
     010.000.000.000:010.255.255.255    127.000.000.000:127.255.255.255    
     172.016.000.000:172.031.255.255    192.168.000.000:192.168.255.255

Exclude private IP addresses from the NAT rule used by the tunnel setting the DNET parameter to 'PublicIP':

[10:53:06] ABILIS_CPX:d nat

UPNP maps not present

Configured maps
-------------------------------------------------------------------------------
PR: [DESCR:]
    INAT:         ADD: SNET:              DNET:              ANET:
    ONAT:              SPO:               DPO:               APO:          PAT:
    SIP:  DIP:         PROT:              TOUT:
-------------------------------------------------------------------------------
0   IN            SRC  192.168.010.000/24 *                  OUT-IP
    OUT                *                  *                  AUTO          YES
-------------------------------------------------------------------------------

[11:03:06] ABILIS_CPX:s nat pr:0 dnet:'publicip'

COMMAND EXECUTED 

[11:03:45] ABILIS_CPX:d nat 

UPNP maps not present

Configured maps
- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
PR: [DESCR:]
    INAT:         ADD: SNET:              DNET:              ANET:
    ONAT:              SPO:               DPO:               APO:          PAT:
    SIP:  DIP:         PROT:              TOUT:
-------------------------------------------------------------------------------
0   IN            SRC  192.168.010.000/24 'PublicIP'         OUT-IP
    OUT                *                  *                  AUTO          YES
-------------------------------------------------------------------------------
[Note]Note

Remember to save the configurations (save conf) and refresh the NAT table (init nat).

Prev Up Next
84.7. Tunnelling Home 84.9. CTISMS