| VPN tunnel uses wrong IP [message #138732] |
Fri, 09 March 2018 14:41  |
weidl
Messages: 31
Registered: December 2016
|
|
|
|
Hi there,
maybe someone here has any helpful hint:
The firewall (Version 9.2.4) has 5 IP's configured at the WAN: .181, .182, .183, .184, .185
The .184 is the "main" IP in the config, the other ones are additional.
Clients appear with the .184 in the internet.
A configured VPN tunnel uses most of the time the .185 for outside connections, but should use the .184.
Sometimes, by changing anything in the config, the .184 is used. But later the .185 is back.
I tried severall rules to setup source nat for this connection, but nothing works.
It looks like the nat does not work for VPN?
Does any body know, how to bind the VPN tunnel to an IP?
Many thanks
Guenter
|
|
|
|
| Re: VPN tunnel uses wrong IP [message #138770 is a reply to message #138732] |
Tue, 13 March 2018 18:06  |
mwgbr
Messages: 61
Registered: June 2012
|
|
|
|
Hello Guenter,
I wanted to confirm this. We have the exact same problem.
Because some firewalls from other manufacturers we want to establish a VPN connection with, presume the right IP being used for the tunnel, the connection does not work sometimes.
We also did not find a rule which can avoid this.
|
|
|
|
| Re: VPN tunnel uses wrong IP [message #138771 is a reply to message #138770] |
Tue, 13 March 2018 19:34 |
weidl
Messages: 31
Registered: December 2016
|
|
|
|
Hi,
thanks for this confirmation!!!
I opened a case at GFI support, and maybe it would be helpful if do this also.
Today they asked for screenshots of the settings 
Hopefully they have helpful answer.
Guenter
|
|
|
|
|
|
| Re: VPN tunnel uses wrong IP [message #138907 is a reply to message #138904] |
Sat, 24 March 2018 10:02 |
weidl
Messages: 31
Registered: December 2016
|
|
|
|
I spend some hours with tech support on this and we did a long online session.
It starts like this "Oh, it's simple, you have to setup a rule for snat the tunnel" and end's with "ups, very strange".
Now the support will have a closer look at this.
|
|
|
|
| Re: VPN tunnel uses wrong IP [message #139058 is a reply to message #138907] |
Thu, 29 March 2018 10:58 |
weidl
Messages: 31
Registered: December 2016
|
|
|
|
Hi cedrici,
I found something out by my self:
It seems that the VPN is using the IP which is defined at the WAN interface, shown with "ifconfig eth0".
And any snat rule is not used!!!
E.G. in my installation:
IP's .181 and .185 are additional at the WAN, and .184 is the default.
eth0 is the WAN interface.
ifconfig eth0 shows .185 at the interface and this is used as outgoing IP with the VPN tunnel.
Removing .185 from the WAN interface, changes eth0 to .181 and now this is used for VPN.
Removing .181 also from WAN, changes eth0 to .184 and VPN is using it.
Now I added .181 and .185 again to WAN and eth0 is still using .184 and VPN is using the correct .184.
Can you confirm this in your installation?
I think the eth0 should use the default IP and it should be possible to define the outgoing IP for active VPN tunnels.
GFI/Kerio support is informed about that, but I got no answer until now.
In my case we changed the VPN to passiv, let the other site initiate the tunnel and everything is fine.
Guenter
|
|
|
|
| Re: VPN tunnel uses wrong IP [message #139059 is a reply to message #139058] |
Thu, 29 March 2018 11:15 |
cedricl
Messages: 19
Registered: December 2012
|
|
|
|
Hi
Thank you for the update.
Unfortunatly I can try your "fix" right now, as the need is not on my side but a customer, and the problem was "solved" on the other side by allowing different IP to connect.
But did you try rebooting kerio to see if the vpn still uses the right IP ? I remember that rebooting can lead to change the outgoing vpn ip...
Cedric
|
|
|
|
| Re: VPN tunnel uses wrong IP [message #139061 is a reply to message #139059] |
Thu, 29 March 2018 11:34 |
weidl
Messages: 31
Registered: December 2016
|
|
|
|
Hi Cedric,
I did severall reboots and always the same (wrong) IP was used.
But I remember at the first tests I made some other changes at the VPN setup and saw other IP's at outgoing.
But it was not reproducible.
I am sure that GFI will fix this soon ;-}
|
|
|
|
Members
Search
Help
Register
Login
Home
