Hi Dan, It's not clear to me which end can ping what from your original message but here's a few ideas...if your only purpose for creating a firewall on the Vyatta router was to allow packets to flow through the VPN tunnel, you don't need it. You should delete the firewall or remove it from the interface until you get traffic passing as the firewall may make this issue more difficult to pinpoint.
The Vyatta router allows all packets through by default. There is no firewall unless you explicitly configure one. Are you using NAT on either device? Because NAT has the potential to cause problems when passing traffic over a tunnel. All packets must match the left and right subnets in order to enter the VPN tunnel. If they are modified in any way by some sort of NAT rule, they won't be allowed to enter the tunnel. So, if you're NAT'ing on the Netgear you'll need to find a way to exclude VPN packets from being NAT'ted. If you're NAT'ing on the Vyatta router, you'll need to do the same. If it doesn't appear to be a NAT issue, you may want to post your configs so we can make sure everything looks correct otherwise. Thanks! Robyn Dan Murray wrote: > Yes, both tunnels are up. I doubt the tunnels are the problem. As I > said I can use the tunnel just fine one way (pings go through to > remote hosts and everything). However coming back toward the vyatta > net nothing gets through. > > I'll look into logging. I still feel like I'm missing a step on the > vyatta side. Normally with a cisco, after making the route I'd have to > make a policy to allow packets to that net, but I thought I did that > already with the firewall command. Maybe there's something else I'm > missing, routing maybe? > > Here's another question - the tunnel is on eth0. When I allow the > packets, I'm allowing them from eth0 to the local net - which doesn't > seem right but I don't know how else to do it. Is there another way to > refer to the tunnel when I'm specifying a network-to-network policy? I > can't imagine it is included in the adapter it goes over. > > Thanks, > Dan > > On 10/21/07, *Justin Fletcher* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Do you have both the IKE and IPsec tunnels up? > > You can also turn on detailed debug logging in the VPN configuration; > that'll give > you directions to look. > > Best, > Justin > > On 10/21/07, Dan Murray < [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Not sure - I don't know enough about vyatta to know. I tried > making a > > firewall rule that allowed that source network to the local > destination > > network but it didn't seem to help. Any other ideas? > > > > Thanks, > > Dan > > > > > > On 10/21/07, David Nalley < [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > wrote: > > > > > > > > > > > > Hey Dan, > > > > > > Just a thought, is it a firewall issue? > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> on behalf > > of Dan Murray > > > Sent: Sun 10/21/2007 6:21 PM > > > To: vyatta-users@mailman.vyatta.com > <mailto:vyatta-users@mailman.vyatta.com> > > > Subject: [Vyatta-users] IPSec VPN - almost working! Help please... > > > > > > Hey guys, > > > > > > I was impressed with myself, actually able to get an IPSec > tunnel up and > > > running between vyatta and a Netgear router, but I must be > missing a final > > > step. The tunnel works just fine, and I made a static route > for that > > subnet > > > and can ping anything on the remote LAN just fine from the > vyatta machine. > > > However, I cannot get from the other side of the network (the > remote side) > > > back to the vyatta net. Is there anything I need to do on the > vyatta end > > to > > > allow packets to come on through? > > > > > > Thanks guys, > > > > > > Dan M > > > > > > > > > > > > > > > > > > _______________________________________________ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > <mailto:Vyatta-users@mailman.vyatta.com> > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > <http://mailman.vyatta.com/mailman/listinfo/vyatta-users> > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
