Reply
Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Tunnel was down again. After <restart vpn> and <sudo ipsec restart> on Wachenheim the tunnel won't go up, so my next step was:

 

ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
initiating Main Mode IKE_SA peer-hassloch2.is-very-good.org-tunnel-1[5] to 95.89.93.87
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 95.88.58.182[500] to 95.89.93.87[500] (156 bytes)
received packet: from 95.89.93.87[500] to 95.88.58.182[500] (40 bytes)
parsed INFORMATIONAL_V1 request 3890360434 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'peer-hassloch2.is-very-good.org-tunnel-1' failed

 

A <restart vpn> on Hassloch did the job. The tunnel has startet without any other command.

 

What is the  NO_PROPOSAL_CHOSEN error  in this context?

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

[ Edited ]

Tunnel was down again. The routing on Kabel has changed, i had to delete the static routes. Reboot on Router Wachenheim was neccesary. Any Ideas?

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Tunnel was down again. Please help me to get a permanent working solution.

 

in  c2f5c0a6,      0 bytes,     0 packets  <<<<< this is always the same situation !!!

 

restart vpn did the job

 

ChristianSchmid@ubnt:~$ show vpn ipsec sa
peer-hassloch2.is-very-good.org-tunnel-1: #10, ESTABLISHED, IKEv1, d8c3d04bd194c47b:4349f3206f7315a7
  local  'wachenheim2.is-very-good.org' @ 95.88.58.182
  remote 'hassloch2.is-very-good.org' @ 95.89.93.87
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 22504s ago, reauth in 5666s
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 951 ago, rekeying in 1908s, expires in 2650s
    in  c2f5c0a6,      0 bytes,     0 packets
    out c410620d,  84796 bytes,   682 packets,     1s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24

Ubiquiti Employee
Posts: 2,299
Registered: ‎05-08-2017
Kudos: 419
Solutions: 345

Re: IPsec Site-to-Site down after a few minutes

Hi @ChristianSchmid,

 

Can you attach the latest (sanitized) configurations of both routers? Have you tried disabling the load-balancing of local traffic?

 

configure
set load-balance group G lb-local disable
commit ; save

 

We can also add an auto-update timer to the VPNs, which is helpful when using dynamic hostnames. The command is:

configure
set vpn ipsec auto-update 300
commit ; save

 

The last value is in seconds, which can be customized if needed. 

 

Lastly, I recommend to also ignore the DNS servers received from the eth0 interfaces and only use the eth1 ones. Optionally, you can also define your own custom DNS servers:

configure
set interfaces ethernet eth0 dhcp-options name-server no-update
commit ; save

 

-Ben


Ben Pin - EdgeMAX Support

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

[ Edited ]

Here is my current config:

 

Wachenheim:

Spoiler
Wachenheim:
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Ping eth0"
            destination {
                group {
                    address-group NETv4_eth0
                }
            }
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "Ping eth1"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            log disable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Telekom FB"
        dhcp-options {
            default-route no-update
            default-route-distance 210
            name-server update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Kabel D"
        dhcp-options {
            default-route update
            default-route-distance 100
            name-server update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.0.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description FTP
        forward-to {
            address 192.168.0.3
            port 21
        }
        original-port 21
        protocol tcp
    }
    rule 2 {
        description "FTP Passive"
        forward-to {
            address 192.168.0.3
            port 50000-51000
        }
        original-port 50000-51000
        protocol tcp
    }
    wan-interface eth1
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.1
                lease 86400
                start 192.168.0.38 {
                    stop 192.168.0.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name wachenheim2.is-very-good.org
                    login xxxxxxx
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
        user ChristianSchmid {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer hassloch2.is-very-good.org {
                authentication {
                    id @wachenheim2.is-very-good.org
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id @hassloch2.is-very-good.org
                }
                connection-type initiate
                description Hassloch
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.0.0/24
                    }
                    remote {
                        prefix 192.168.60.0/24
                    }
                }
            }
        }
    }
}

Hassloch:

Spoiler
Hassloch:
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            destination {
                address 217.91.144.122/32
            }
            modify {
                lb-group A
            }
        }
        rule 50 {
            action modify
            destination {
                address 95.0.0.0/8
            }
            modify {
                lb-group B
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow Ping eth0"
            destination {
                group {
                    address-group NETv4_eth0
                }
            }
            icmp {
                type 8
            }
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "Allow Ping eth1"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            icmp {
                type 8
            }
            log disable
            protocol icmp
        }
        rule 30 {
            action accept
            description PPTP
            destination {
                port 1723
            }
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Telekom Gate"
        dhcp-options {
            default-route no-update
            default-route-distance 210
            name-server update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Kabel D"
        dhcp-options {
            default-route update
            default-route-distance 100
            name-server update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth3 {
        address 192.168.60.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group A {
        interface eth0 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group B {
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth3
    rule 1 {
        description "HTTPS Server"
        forward-to {
            address 192.168.60.4
            port 443
        }
        original-port 443
        protocol tcp
    }
    wan-interface eth0
}
protocols {
    static {
    }
}
service {
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name hassloch2.is-very-good.org
                    login xxxxxx
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth3
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt-h
    login {
        user ChristianSchmid {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer wachenheim2.is-very-good.org {
                authentication {
                    id @hassloch2.is-very-good.org
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id @wachenheim2.is-very-good.org
                }
                connection-type initiate
                description Wachenheim
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.60.0/24
                    }
                    remote {
                        prefix 192.168.0.0/24
                    }
                }
            }
        }
    }
    pptp {
        remote-access {
            authentication {
                local-users {
                    username xxxxxx {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.60.240
                stop 192.168.60.244
            }
            dhcp-interface eth1
            dns-servers {
                server-1 192.168.60.1
                server-2 8.8.8.8
            }
            mtu 1492
        }
    }
}

I believe, that the main problem is, the router does not notice that the tunnel is not working. <show vpn ipsec status> shows always an open tunnel, but the packets are not increasing:

 

ChristianSchmid@ubnt:~$ show vpn ipsec sa
peer-hassloch2.is-very-good.org-tunnel-1: #10, ESTABLISHED, IKEv1, d8c3d04bd194c47b:4349f3206f7315a7
  local  'wachenheim2.is-very-good.org' @ 95.88.58.182
  remote 'hassloch2.is-very-good.org' @ 95.89.93.87
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 22504s ago, reauth in 5666s
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 951 ago, rekeying in 1908s, expires in 2650s
    in  c2f5c0a6,      0 bytes,     0 packets
    out c410620d,  84796 bytes,   682 packets,     1s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24 

 

    in  c2f5c0a6,      0 bytes,     0 packets  <<<<<<  

 

The only way to get the tunnel up again is <restart vpn> on the site with the 0-packets...

 

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Tunnel is down again:

 

Wachenheim

 

show vpn ipsec sa

 

peer-hassloch2.is-very-good.org-tunnel-1: #6, ESTABLISHED, IKEv1, e65fb308ef82bf87:117b7d50af49a6a1
  local  'wachenheim2.is-very-good.org' @ 95.88.58.182
  remote 'hassloch2.is-very-good.org' @ 95.89.93.87
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 6599s ago, reauth in 21166s
  peer-hassloch2.is-very-good.org-tunnel-1: #1, REKEYING, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 3077 ago, rekeying in -538s, expires in 523s
    in  ce684ec8, 1384865 bytes,  3773 packets,   548s ago
    out c8747f8f, 484507 bytes,  3462 packets,     1s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 538 ago, rekeying in 2355s, expires in 3063s
    in  c959bdbd,      0 bytes,     0 packets
    out c971aacd,  59331 bytes,   435 packets,     1s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24

 

show vpn ipsec status
IPSec Process Running PID: 16798

1 Active IPsec Tunnels

IPsec Interfaces :
        eth1    (95.88.58.182)

 

restart vpn does not bring the tunnel up...

 

sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1

 

does the job

 

 

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

[ Edited ]

Tunnel is down again. restart vpn does not work...

 

ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
initiating Main Mode IKE_SA peer-hassloch2.is-very-good.org-tunnel-1[2] to 95.89.93.87
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 95.88.58.182[500] to 95.89.93.87[500] (156 bytes)
received packet: from 95.89.93.87[500] to 95.88.58.182[500] (40 bytes)
parsed INFORMATIONAL_V1 request 3316812273 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'peer-hassloch2.is-very-good.org-tunnel-1' failed
ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
initiating Main Mode IKE_SA peer-hassloch2.is-very-good.org-tunnel-1[3] to 95.89.93.87
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 95.88.58.182[500] to 95.89.93.87[500] (156 bytes)
received packet: from 95.89.93.87[500] to 95.88.58.182[500] (40 bytes)
parsed INFORMATIONAL_V1 request 2335129644 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'peer-hassloch2.is-very-good.org-tunnel-1' failed

 

sudo ipsec up peer-wachenheim2.is-very-good.org-tunnel-1 on the other site worked...

 

Our old and poor performing RV042G did this job with LB and VPN for years with no changes in the config...

 

 

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Tunnel is down again, again the 0 packets hell. restart vpn did the job, why can't the ER this dead peer?????

 

ChristianSchmid@ubnt:~$ show vpn ipsec status
IPSec Process Running PID: 21899

1 Active IPsec Tunnels

IPsec Interfaces :
        eth1    (95.88.58.182)
ChristianSchmid@ubnt:~$ show vpn ipsec sa
peer-hassloch2.is-very-good.org-tunnel-1: #4, ESTABLISHED, IKEv1, 27174fe71012ce09:376b1790f0ca9baf
  local  'wachenheim2.is-very-good.org' @ 95.88.58.182
  remote 'hassloch2.is-very-good.org' @ 95.89.93.87
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 11394s ago, reauth in 16353s
  peer-hassloch2.is-very-good.org-tunnel-1: #1, REKEYING, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 3570 ago, rekeying in -833s, expires in 31s
    in  cdc87d3c,      0 bytes,     0 packets
    out c8907e8c, 253250 bytes,  1981 packets,     1s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 867 ago, rekeying in 1783s, expires in 2734s
    in  ca931b15,      0 bytes,     0 packets
    out c34f9d8f,  77188 bytes,   621 packets,     1s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24

Veteran Member
Posts: 7,226
Registered: ‎03-24-2016
Kudos: 1860
Solutions: 822

Re: IPsec Site-to-Site down after a few minutes

On Wachenheim,  go for  lb-local disable.  As others before me also noticed
Now local generated packets, like your VPN tunnel, will use main routing table and thus use eth1 as it has best (lowest) distance
 
Moreover, on LB-group, add transition script, that flushes NAT table after interface up/down event
IPSEC traffic also hits masquerade rules, and NAT translation once made will never cease to exist after failback event.
Same goes for Hassloch
Ubiquiti Employee
Posts: 2,299
Registered: ‎05-08-2017
Kudos: 419
Solutions: 345

Re: IPsec Site-to-Site down after a few minutes

The A and B load-balance groups on Hassloch may also be tripping you up here. I recommend to try and remove these groups and the corresponding rules in the balance policy.

 

Please see my previous post on how to disable lb-local and for adding the VPN auto-update timer.

 

-Ben


Ben Pin - EdgeMAX Support

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

I've updated the config on both sites with

 

set load-balance group G lb-local disable
set vpn ipsec auto-update 300

 

should i set system name-server with tihis commands?

 

set interfaces ethernet eth0 dhcp-options name-server no-update
set interfaces ethernet eth1 dhcp-options name-server no-update
set system name-server 8.8.8.8

Ubiquiti Employee
Posts: 2,299
Registered: ‎05-08-2017
Kudos: 419
Solutions: 345

Re: IPsec Site-to-Site down after a few minutes


should i set system name-server with tihis commands?

 

set interfaces ethernet eth0 dhcp-options name-server no-update
set interfaces ethernet eth1 dhcp-options name-server no-update
set system name-server 8.8.8.8


 

That is correct. You can verify the name servers that the system is currently using with the show dns forwarding nameservers command.

 

-Ben


Ben Pin - EdgeMAX Support

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

[ Edited ]

I 've testet the system name-server settings with our office ER and lost my internet connection...

After a reboot of the ER the connection is running again.

I will update the ER on Wachenheim and Hassloch outside normal business hours.

Emerging Member
Posts: 66
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Now the tunnel is up and runnig stable!

 

Here is my last config

 

Wachenheim

Spoiler
Wachenheim

ChristianSchmid@ubnt:~$ show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Ping eth0"
            destination {
                group {
                    address-group NETv4_eth0
                }
            }
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "Ping eth1"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            log disable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Telekom FB"
        dhcp-options {
            default-route no-update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Kabel D"
        dhcp-options {
            default-route update
            default-route-distance 100
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.0.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local disable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description FTP
        forward-to {
            address 192.168.0.3
            port 21
        }
        original-port 21
        protocol tcp
    }
    rule 2 {
        description "FTP Passive"
        forward-to {
            address 192.168.0.3
            port 50000-51000
        }
        original-port 50000-51000
        protocol tcp
    }
    wan-interface eth1
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.1
                lease 86400
                start 192.168.0.38 {
                    stop 192.168.0.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name wachenheim2.is-very-good.org
                    login XXXXXX
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
        user ChristianSchmid {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-update 300
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer hassloch2.is-very-good.org {
                authentication {
                    id @wachenheim2.is-very-good.org
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id @hassloch2.is-very-good.org
                }
                connection-type initiate
                description Hassloch
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.0.0/24
                    }
                    remote {
                        prefix 192.168.60.0/24
                    }
                }
            }
        }
    }
}

Hassloch

Spoiler
Hassloch
ChristianSchmid@ubnt-h:~$ show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            destination {
                address 217.91.144.122/32
            }
            modify {
                lb-group A
            }
        }
        rule 50 {
            action modify
            destination {
                address 95.0.0.0/8
            }
            modify {
                lb-group B
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow Ping eth0"
            destination {
                group {
                    address-group NETv4_eth0
                }
            }
            icmp {
                type 8
            }
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "Allow Ping eth1"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            icmp {
                type 8
            }
            log disable
            protocol icmp
        }
        rule 30 {
            action accept
            description PPTP
            destination {
                port 1723
            }
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Telekom Gate"
        dhcp-options {
            default-route no-update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Kabel D"
        dhcp-options {
            default-route update
            default-route-distance 100
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        disable
        duplex auto
        speed auto
    }
    ethernet eth3 {
        address 192.168.60.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group A {
        interface eth0 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group B {
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local disable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth3
    rule 1 {
        description "HTTPS Server"
        forward-to {
            address 192.168.60.4
            port 443
        }
        original-port 443
        protocol tcp
    }
    wan-interface eth0
}
protocols {
    static {
    }
}
service {
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name hassloch2.is-very-good.org
                    login xxxxxxx
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth3
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt-h
    login {
        user ChristianSchmid {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-update 300
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer wachenheim2.is-very-good.org {
                authentication {
                    id @hassloch2.is-very-good.org
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id @wachenheim2.is-very-good.org
                }
                connection-type initiate
                description Wachenheim
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.60.0/24
                    }
                    remote {
                        prefix 192.168.0.0/24
                    }
                }
            }
        }
    }
    pptp {
        remote-access {
            authentication {
                local-users {
                    username BennyFath {
                        password ****************
                    }
                    username annette {
                        password ****************
                    }
                    username jvolkmer {
                        password ****************
                    }
                    username schmid {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.60.240
                stop 192.168.60.244
            }
            dhcp-interface eth1
            dns-servers {
                server-1 192.168.60.1
                server-2 8.8.8.8
            }
            mtu 1492
        }
    }
}

My last changes:

 

set load-balance group G lb-local disable

set vpn ipsec auto-update 300

 

set interfaces ethernet eth0 dhcp-options name-server no-update
set interfaces ethernet eth1 dhcp-options name-server no-update
set system name-server 8.8.8.8

 

Could someone please explain the set load-balance group G lb-local disable setting?

 

Thanks for your Help!

 

Christian

 

Highlighted
Emerging Member
Posts: 440
Registered: ‎09-13-2018
Kudos: 69
Solutions: 26

Re: IPsec Site-to-Site down after a few minutes


@ChristianSchmid wrote:

 

Could someone please explain the set load-balance group G lb-local disable setting?

  


Ben Pin did in https://community.ubnt.com/t5/EdgeRouter/IPsec-Site-to-Site-down-after-a-few-minutes/m-p/2577829/hig...

 

 Have you tried disabling the load-balancing of local traffic?

 

configure
set load-balance group G lb-local disable
commit ; save

On the edge router when you see local, it normally means the router itself.  Disabling load balancing of local traffic means traffic generated by the router itself, for example the vpn traffic, dyndns update traffic, etc.  Then the choice of routing is controlled by the main routing table, lengths of subnet mask, administrative distance or metric. 

Reply