Connecting to an IPsec endpoint from behind the Firewall (client on LAN -> Wan_ip)

Security Gateway Articles and How to's
Post Reply
Peter
Posts: 611
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Connecting to an IPsec endpoint from behind the Firewall (client on LAN -> Wan_ip)

Post by Peter » 15 Nov 2017, 15:45

This How-to applies to:
  • Clavister Security Gateway 11.x and up.
Problem:
I want to configure a roaming/roadwarrior IPsec client/server setup where i can can connect to the Firewall VPN server from the Internet but also from inside/behind the firewall. But when i try to connect with the client from the inside nothing happens, the Firewall does not reply at all.

Solution:
The problem why the Firewall behaves this way is because the IPsec engine expects that the interface where the request was received on will be the sending interface as well. But if you connect to e.g. WAN from LAN it will be the LAN interface that will be the sender interface towards the client.

The solution to this problem is in newer versions very easy, simply configure the Local Endpoint setting on the IPsec tunnel to be the IP address of the external interface as shown in the below image.
LocalEndpoint.png
LocalEndpoint.png (12.02 KiB) Viewed 715 times
Then the IPsec engine and cOs Core will know which IP address it should use as sender even if the sender interface is the internal LAN interface.

Note: In older versions where the Local Endpoint setting did not exist the solution was to set the same IP address on both WAN and LAN interface.

Post Reply