New Member
Posts: 23
Registered: ‎11-21-2013

Edge Router VPN ipsec vpn with static ip

I have setup up a vpn tunnel with no issues using the tutorials floating around using a DDNS address to connect when the ip address is dynamic.

 

My issue is setting up then same vpn tunnel using a static ip with a ddns address.

Is there anything specific that has to be configured other than the static ip placed in the config?

Im at a loss.

 

 

Emerging Member
Posts: 44
Registered: ‎05-20-2014
Kudos: 12
Solutions: 2

Re: Edge Router VPN ipsec vpn with static ip

mkcorreia,

If you use DDNS and have been using the domain for the peer, just replace it with the IP.

vpn ipsec site-to-site peer INSERT

INSERT = this.domain.com or IP

New Member
Posts: 23
Registered: ‎11-21-2013

Re: Edge Router VPN ipsec vpn with static ip

Im not doing peer to peer im using windows machine as a client and the erl as the vpn server for onsite access. Like i said before if i set up the router with a dhcp address from the isp the vpn works fine as soon as i add the static ip to the config i cannot. 

Emerging Member
Posts: 44
Registered: ‎05-20-2014
Kudos: 12
Solutions: 2

Re: Edge Router VPN ipsec vpn with static ip

New Member
Posts: 23
Registered: ‎11-21-2013

Re: Edge Router VPN ipsec vpn with static ip

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 3 {
            action accept
            description "Remote Management"
            destination {
                port 22,4433
            }
            log disable
            protocol tcp
        }
        rule 4 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 5 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            log disable
            protocol udp
        }
        rule 6 {
            action accept
            description ESP
            log disable
            protocol 50
        }
        rule 7 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 8 {
            action drop
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.0.1/24
        description "Local 1"
        duplex auto
        firewall {
            in {
            }
            local {
            }
        }
        speed auto
    }
    ethernet eth2 {
        description "Local 2"
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description SMTP
        forward-to {
            address 
            port 25
        }
        original-port 25
        protocol tcp
    }
    rule 2 {
        description "Peter Temp RDP"
        forward-to {
            address 
            port 5555
        }
        original-port 5555
        protocol tcp
    }
    rule 3 {
        description RTP
        forward-to {
            address 
            port 10000-20000
        }
        original-port 10000-20000
        protocol udp
    }
    rule 4 {
        description L2TP
        forward-to {
            address 
            port 1701
        }
        original-port 1701
        protocol udp
    }
    rule 5 {
        description "Radius  Auth"
        forward-to {
            address 
            port 1812-1813
        }
        original-port 1812-1813
        protocol udp
    }
    rule 6 {
        description DNS-TCP/UDP
        forward-to {
            address 
            port 53
        }
        original-port 53
        protocol tcp_udp
    }
    rule 7 {
        description FTP
        forward-to {
            address 
            port 20
        }
        original-port 20
        protocol tcp
    }
    rule 8 {
        description AV-Edge-5061
        forward-to {
            address 
            port 5061
        }
        original-port 5061
        protocol tcp
    }
    rule 9 {
        description AV-Edge-444
        forward-to {
            address 
            port 444
        }
        original-port 444
        protocol tcp
    }
    rule 10 {
        description AV-Edge-3478
        forward-to {
            address 
            port 3478
        }
        original-port 3478
        protocol tcp
    }
    rule 11 {
        description AV-Edge-Negotiate
        forward-to {
            address 
            port 50000-50999
        }
        original-port 50000-50999
        protocol tcp_udp
    }
    rule 12 {
        description HTTPS
        forward-to {
            address 
            port 443
        }
        original-port 443
        protocol tcp
    }
    rule 13 {
        description RDP
        forward-to {
            address 
            port 3389
        }
        original-port 3389
        protocol tcp
    }
    rule 14 {
        description IAX2
        forward-to {
            address 
            port 4569
        }
        original-port 4569
        protocol udp
    }
    rule 15 {
        description HUDMobile
        forward-to {
            address
            port 4000-4031
        }
        original-port 4000-4031
        protocol udp
    }
    rule 16 {
        description HUD3
        forward-to {
            address 
            port 5222
        }
        original-port 
        protocol tcp
    }
    rule 17 {
        description Remote-Management
        forward-to {
            address 
            port 4433
        }
        original-port 4433
        protocol tcp_udp
    }
    rule 18 {
        description ZIO-202
        forward-to {
            address 
            port 3390
        }
        original-port 3390
        protocol tcp
    }
    wan-interface eth0
}
service {
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name 
                    login 
                    password 
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        https-port 4433
    }
    nat {
        rule 5010 {
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth1 {
            outbound-interface eth0
        }
    }
}
system {
    gateway-address 1.1.1.1
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password $6$kZGdcoAuYI4hn$9ffdvdAA2LhTwA6GOVSofBlm2DHTifqt0/ratQsk.A3VBjTOYhWXVOa74e9YigLhubLgVEJgy4EakZpQ4SsOA0
                plaintext-password ""
            }
            full-name "Admin"
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username  {
                        password 
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.0.211
                stop 192.168.0.215
            }
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret
                }
                ike-lifetime 3600
            }
            mtu 1492
            outside-address 1.1.1.1
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.4.1.4648311.140310.1616 */

 

New Member
Posts: 23
Registered: ‎11-21-2013

Re: Edge Router VPN ipsec vpn with static ip

Help Anyone!

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Edge Router VPN ipsec vpn with static ip

Port-forwarding rule 17 needs to go away as you are not forwarding router management.  This is opened on firewall name WAN_LOCAL and is direct to the router.

service dns forwarding listen-on needs to be changed from eth2 to eth1.

That's all I pick out at a glance.

 

New Member
Posts: 23
Registered: ‎11-21-2013

Re: Edge Router VPN ipsec vpn with static ip

Thanks but still no good. aaarrggghhhh.. This is all because of the static ip and accessing the vpn through out ddns address i must be missing something as the same configuration with a dhcp wan address works fine.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Edge Router VPN ipsec vpn with static ip

[ Edited ]

Wait.  Static WAN address....

DHCP give the gateway address to the router, but with a static address, you need a static route to the gateway.

 

Just looked back at your config.  You need to give it a static route to 0.0.0.0/0

New Member
Posts: 23
Registered: ‎11-21-2013

Re: Edge Router VPN ipsec vpn with static ip

I have a static route to 0.0.0.0/0 from the wan is there an additional route i need to setup

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Edge Router VPN ipsec vpn with static ip

I see this in your config, but I don't see a static route.

vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }

 It should look something like this....

protocols {
    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface eth0 {
            }
        }
    }
}

 

New Member
Posts: 23
Registered: ‎11-21-2013

Re: Edge Router VPN ipsec vpn with static ip

So i Already have this in the gui under static routes where destination is 0.0.0.0/0 and the next hop is the system gateway interface of eth0 which is my wan. None of this shows up in the CLI.

 

In CLI i added the protocol but all it did was add a destination 0.0.0.0/0 with no next hop to interface of eth0..

Do I need to add an ip address to the next hop?? if so what one the static ip of the router or the static ip gateway or the local lan ip?

Thanks

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Edge Router VPN ipsec vpn with static ip

My bad.  I just spotted the gateway address of 1.1.1.1  I've been working a lot of hours over the weekend and been pretty groggy.  Go ahead and remove the static route that you just put in.

Is 1.1.1.1 a sanatized address?  The address doesn't seem right to me.  Just for giggles and grins, can you set eth0 back to dhcp and take a snapshot of the dashboard when everything is working?  I want to see what dhcp gives you for a gateway address and compare it to what is there now.  I really think this is gateway related.

Actually, try to get a snapshot of both static and dhcp dashboard shots.  We can then compare them.  You might want to take a snapshot both ways of the routing tab as well.

Emerging Member
Posts: 44
Registered: ‎05-20-2014
Kudos: 12
Solutions: 2

Re: Edge Router VPN ipsec vpn with static ip

I have two locations:

  • A - Dynamic
  • B - Static

I have had an L2TP set up on my dynamic for some time. I also have had an IPSEC site-to-site working and currently an OpenVPN site-to-site.

I just tried to set up the L2TP server on the static site and am having similar issues. I can connect; however I am unable to ping local machines or access the internet.

Im going to test a few things tonight. Im sure it is something simple.

Emerging Member
Posts: 44
Registered: ‎05-20-2014
Kudos: 12
Solutions: 2

Re: Edge Router VPN ipsec vpn with static ip

Sorry my friend. I have been unsuccessful to get the Ipsec/l2tp vpn server to work with a static address. Ive inlcuded the external and next hops for the static to no avail, as well as trying a few things in protocols and nat.

I can connect to the VPN but am unable to reach devices local or WAN.

Maybe one of the UBNT team can provide some insight.

In the mean time, consider rebooting your router, exporting the config, and posting it along with the photos that Cowboy referenced.

Highlighted
New Member
Posts: 23
Registered: ‎11-21-2013

Re: Edge Router VPN ipsec vpn with static ip

Ok i fixed most of my locations with a static ip. Apparently i cannot have an ip in the  name server field in the GUI. Once I removed the name server infromation all was well and i could connect.

I do have one location that is problematic but is probably an issue with the ISP.