Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Greg on July 31, 2003, 02:08:48 AM

Title: IPSEC port 80
Post by: Greg on July 31, 2003, 02:08:48 AM
I have 3 5.5 boxes running IPSEC.  I can see http://192.168.40.1 (the lan side of a 5.5 box) fine but I cant see http://192.168.40.73 or any other ip with port 80
Its the same on the other Lan also.
Any ideas.
Title: Re: IPSEC port 80
Post by: Bill Pflaumer on July 31, 2003, 04:58:13 AM
Correct me if I'm wrong, but each network must be on a different subnet. What subnet mask are U using on each network 255.255.255.0 ?

Bill
Title: Re: IPSEC port 80
Post by: Michael Smith on July 31, 2003, 07:48:31 AM
You are correct.  Subnets must be different.
Title: Re: IPSEC port 80
Post by: Greg on July 31, 2003, 04:11:14 PM
Actually there are three 5.5 boxes on three Wan's with 192.168.1, 192.168.20 and 192.169.40 as Lan's. All three are running IPSEC so they all think each lan is local.
From 192.168.1 30 I can browse 192.168.40.1 fine (Lan side of the 5.5 box). I have some IPSEC phones on 192.168.40 and can browse them from 192.168.40 but not from 192.168.1
Makes no since to me.
Title: Re: IPSEC port 80
Post by: Greg on July 31, 2003, 04:13:16 PM
To earley in the morning I ment VOIP/SIP Phones
Title: Re: IPSEC port 80
Post by: Guck Puppy on July 31, 2003, 09:50:31 PM
All those subnets are added into the various servers "Local Networks" panels I guess...?
Title: Re: IPSEC port 80
Post by: Greg on July 31, 2003, 10:42:41 PM
Yes, and everything works fine I can use VNC from 192.168.1.29 to any bov on the 192.168.20.but I can't browse a port 80 device from 192.168.1. on the 192.168.20. network
Title: Re: IPSEC port 80
Post by: Guck Puppy on August 01, 2003, 02:14:30 AM
That is very, very, very strange.

Can you install nmap and do some portscanning across your ipsec link?

Also, what about telnet to port 80 on a  web server on 192.168.20.x from 192.168.1.x addresses?

G
Title: Re: IPSEC port 80
Post by: Michael Smith on August 01, 2003, 05:42:51 AM
Question for three-way config such as this ... do you have one "master LAN" that has two IPSEC VPNs, with each of the others having only the one connection to the master, or does each point of the triangle have two connections, one for each of the others?  

If the former, let's say that A has connections to B & C but B and C are not directly connected.  Can B and C interoperate through A?

If the latter, do routing problems emerge?
Title: Re: IPSEC port 80
Post by: Greg on August 01, 2003, 04:23:06 PM
In IPSEC I have 192.168.1. set as Server and 192.168.20 and 192.168.40 as clients
A connection between 192.168.1 to 192.168.20 and 192.168.40 but no connection between  192.168.20 and 192.168.40 other than through 192.168.1

I can scan and see port 80 from 192.168.1.29 on 192.168.20.65 and can telnet to port 23 from 192.168.1.29 to 192.168.20.65 and can browse 192.168.20.65 from 192.168.20.100 through a VNC connection from 192.168.1.29

I wouldn't care about this normally but I put Mitel Sip VOIP phones behind the 192.168.20 and 192.168.40 boxes and they work fine but I can't configure them or update them from 192.168.1, it all works through port 80

This is strange.
Title: Re: IPSEC port 80
Post by: Guck Puppy on August 01, 2003, 09:51:04 PM
Is it possible that these voip devices aren't set to allow connections on port 80 from anything but the local subnet? I know that doesn't make sense, but it's just that, if you can telnet to one port across subnet's then doesn't that put the onus on this particular device (and this particular port)?

G
Title: Re: IPSEC port 80
Post by: Greg on August 01, 2003, 11:38:46 PM
I for got to say that I installed IIS on a box at 192.168.20.100  and can browse it from 192.168.20 but not 192.168.1
Changed the port to 8081 and the same problem exists
I think it is a protocol problem in that I can Telnet and VNC from 192.168.1. to 192.168.20. just fine.
Title: Re: IPSEC port 80
Post by: Guck Puppy on August 02, 2003, 12:05:44 AM
But can you telnet to port 80?

telnet your-server 80

G
Title: Re: IPSEC port 80
Post by: Greg on August 02, 2003, 12:12:14 AM
Yes and no, it does not error or say it could not connect but it does not respond.
Its like its finding port 80 (it should I can scan it ok) but its not coming back on a port above 1024 for some reason
Title: Re: IPSEC port 80
Post by: Guck Puppy on August 02, 2003, 12:26:06 AM
So, just to check, when I telnet to port 80, I get :

[guck@ns1 ~]$ telnet myserver.com 80
Trying 192.168.1.1...
Connected to myserver.com.
Escape character is '^]'.





501 Method Not Implemented

Method Not Implemented


arse to /index.html not supported.


Invalid method in request arse



Connection closed by foreign host.
[guck@ns1 ~]$

And you don't even get "Connected to myserver.com"?

G

Title: Re: IPSEC port 80
Post by: Greg on August 02, 2003, 12:48:50 AM
After pounging on the keyboard this is what I get

HTTP/1.0 400 Bad Request
Server: Squid/2.4.STABLE3
Mime-Version: 1.0
Date: Fri, 01 Aug 2003 19:31:57 GMT
Content-Type: text/html
Content-Length: 870
Expires: Fri, 01 Aug 2003 19:31:57 GMT
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from 1375.blabla.com
Proxy-Connection: close

ERROR: The requested URL could not be retrieved

 

ERROR


The requested URL could not be retrieved



While trying to process the request:



 

The following error was encountered:


Some as pect of the HTTP Request is invalid.  Possible problems:


Your cache administrator is
admin@BLABLA.com.

clear="all">


Generated Fri, 01 Aug 2003 19:31:57 GMT by 1375.BLABLA.com (Squid/2.4.STABLE3)
Title: Re: IPSEC port 80
Post by: Greg on August 02, 2003, 01:03:15 AM
Or
[blabal@1375 root]# telnet 192.168.20.65 80
Trying 192.168.20.65...
Title: Re: IPSEC port 80
Post by: Guck Puppy on August 02, 2003, 08:48:04 AM
Greg wrote:
>
> After pounging on the keyboard this is what I get
>
> HTTP/1.0 400 Bad Request
> Server: Squid/2.4.STABLE3

So... you have squid running... could this be part of the issue? After all you're trying to make port 80 connections and squid is supposed to cache all port 80 (i.e. web) requests isn't it? maybe try disabling squid?

G