Topic: IPSEC port 80

[Greg]

I have 3 5.5 boxes running IPSEC.  I can see http://192.168.40.1 (the lan side of a 5.5 box) fine but I cant see http://192.168.40.73 or any other ip with port 80
Its the same on the other Lan also.
Any ideas.

[Bill Pflaumer]

Correct me if I'm wrong, but each network must be on a different subnet. What subnet mask are U using on each network 255.255.255.0 ?

Bill

[Michael Smith]

You are correct.  Subnets must be different.

[Greg]

Actually there are three 5.5 boxes on three Wan's with 192.168.1, 192.168.20 and 192.169.40 as Lan's. All three are running IPSEC so they all think each lan is local.
From 192.168.1 30 I can browse 192.168.40.1 fine (Lan side of the 5.5 box). I have some IPSEC phones on 192.168.40 and can browse them from 192.168.40 but not from 192.168.1
Makes no since to me.

[Greg]

To earley in the morning I ment VOIP/SIP Phones

[Guck Puppy]

All those subnets are added into the various servers "Local Networks" panels I guess...?

[Greg]

Yes, and everything works fine I can use VNC from 192.168.1.29 to any bov on the 192.168.20.but I can't browse a port 80 device from 192.168.1. on the 192.168.20. network

[Guck Puppy]

That is very, very, very strange.

Can you install nmap and do some portscanning across your ipsec link?

Also, what about telnet to port 80 on a  web server on 192.168.20.x from 192.168.1.x addresses?

G

[Michael Smith]

Question for three-way config such as this ... do you have one "master LAN" that has two IPSEC VPNs, with each of the others having only the one connection to the master, or does each point of the triangle have two connections, one for each of the others?  

If the former, let's say that A has connections to B & C but B and C are not directly connected.  Can B and C interoperate through A?

If the latter, do routing problems emerge?

[Greg]

In IPSEC I have 192.168.1. set as Server and 192.168.20 and 192.168.40 as clients
A connection between 192.168.1 to 192.168.20 and 192.168.40 but no connection between  192.168.20 and 192.168.40 other than through 192.168.1

I can scan and see port 80 from 192.168.1.29 on 192.168.20.65 and can telnet to port 23 from 192.168.1.29 to 192.168.20.65 and can browse 192.168.20.65 from 192.168.20.100 through a VNC connection from 192.168.1.29

I wouldn't care about this normally but I put Mitel Sip VOIP phones behind the 192.168.20 and 192.168.40 boxes and they work fine but I can't configure them or update them from 192.168.1, it all works through port 80

This is strange.

[Guck Puppy]

Is it possible that these voip devices aren't set to allow connections on port 80 from anything but the local subnet? I know that doesn't make sense, but it's just that, if you can telnet to one port across subnet's then doesn't that put the onus on this particular device (and this particular port)?

G

[Greg]

I for got to say that I installed IIS on a box at 192.168.20.100  and can browse it from 192.168.20 but not 192.168.1
Changed the port to 8081 and the same problem exists
I think it is a protocol problem in that I can Telnet and VNC from 192.168.1. to 192.168.20. just fine.

[Guck Puppy]

But can you telnet to port 80?

telnet your-server 80

G

[Greg]

Yes and no, it does not error or say it could not connect but it does not respond.
Its like its finding port 80 (it should I can scan it ok) but its not coming back on a port above 1024 for some reason

[Guck Puppy]

So, just to check, when I telnet to port 80, I get :

[guck@ns1 ~]$ telnet myserver.com 80
Trying 192.168.1.1...
Connected to myserver.com.
Escape character is '^]'.

Method Not Implemented

arse to /index.html not supported.

Invalid method in request arse

Connection closed by foreign host.
[guck@ns1 ~]$

And you don't even get "Connected to myserver.com"?

G