Reply
Established Member
Posts: 2,341
Registered: ‎05-30-2012
Kudos: 784
Solutions: 30

Upgraded to 1.5 lost VPN configuration

Hi!

When I upgraded to v1.5 firmware (from v1.41) my VPN configuration was reset. Both IKE and ESP settings was changed.

Instead of esp-group ESP0 and ike-group IKE0 they were renamed to esp-group FOO0 and ike-group FOO0

:-(

 

Established Member
Posts: 2,341
Registered: ‎05-30-2012
Kudos: 784
Solutions: 30

Re: Upgraded to 1.5 lost VPN configuration

I managed to get my tunnel up running again. But it's like I have only one way access (maybe traffic from my network is NATted ?), and that is traffic from my network (and EdgeMax Lite) to other network. Not from other network to me (From other network I can only PING EdgeMax Lite, not other devices on network behind).

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            lifetime 28800
            pfs disable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO0 {
            proposal 1 {
                dh-group 2
                encryption 3des
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
        site-to-site {
            peer vpn.xxx.tld {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                ike-group FOO0
                local-ip X.X.X.X
                tunnel 1 {
                    esp-group FOO0
                    local {
                        subnet 192.168.14.0/24
                    }
                    remote {
                        subnet 10.0.0.0/24
                    }
                }
                tunnel 2 {
                    esp-group FOO0
                    local {
                        subnet 192.168.14.0/24
                    }
                    remote {
                        subnet 10.2.0.0/24
                    }
                }
            }
        }
    }
}

 And firewall

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established and related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid"
            log disable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}

 Any help appreciated....

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: Upgraded to 1.5 lost VPN configuration

Did you use the VPN configuration page in the Web UI to change some settings? Those names are used by the Web UI page for the configuration right now. This is a current implementation limitation for the Web UI page, i.e., it is not designed for "mixed" CLI and Web UI usage.

Established Member
Posts: 2,341
Registered: ‎05-30-2012
Kudos: 784
Solutions: 30

Re: Upgraded to 1.5 lost VPN configuration


@UBNT-ancheng wrote:

Did you use the VPN configuration page in the Web UI to change some settings?


I was definately looking at the page showing VPN settings. I don't know if I clicked anything. Maybe apply ?

Any idea why my tunnel only works from EdgeMax Lite to other end, not vice versa ?

Highlighted
Established Member
Posts: 2,341
Registered: ‎05-30-2012
Kudos: 784
Solutions: 30

Re: Upgraded to 1.5 lost VPN configuration


@UBNT-ancheng wrote:

This is a current implementation limitation for the Web UI page, i.e., it is not designed for "mixed" CLI and Web UI usage.


@UBNT-ancheng Shouldn't a warning pop up then ?

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: Upgraded to 1.5 lost VPN configuration


@jjonsson wrote:

Shouldn't a warning pop up then ?


Yeah we have discussed this before and may add something for that.

For the tunnel issue, could you clarify if the configs were working before and only stopped working after some parts got changed by the Web UI? If so, could you try first restoring to the previous configs and see if they still work correctly?

Established Member
Posts: 2,341
Registered: ‎05-30-2012
Kudos: 784
Solutions: 30

Re: Upgraded to 1.5 lost VPN configuration

UBNT-ancheng wrote:

For the tunnel issue, could you clarify if the configs were working before and only stopped working after some parts got changed by the Web UI? If so, could you try first restoring to the previous configs and see if they still work correctly?


The tunnels we're working fine before the upgrade. Traffic both ways was no problem...

nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable

 Isn't these command doing NAT in the tunnel ? (I'm not 100% sure what they do...)

I want the tunnel to tunnel traffic from both sides LAN interfaces, without doing NAT....

It's working from my side (EdgeMax) to other side, I can ping and connect to all devices. Other side is Watchguard unit. Since I can ping EdgeMax LAN interface from other side (LAN on WatchGuard), but not devices I'm assuming some kind of NAT is in action ?

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: Upgraded to 1.5 lost VPN configuration

Those commands are for the "NAT-traversal" mechanism, but they do not actually do any NAT themselves. Do you still have the original configs that were working before? If so it might be easier to try those first.

Established Member
Posts: 2,341
Registered: ‎05-30-2012
Kudos: 784
Solutions: 30

Re: Upgraded to 1.5 lost VPN configuration


@UBNT-ancheng wrote:

Do you still have the original configs that were working before? If so it might be easier to try those first.


Unfortunately not. I learned 1 lesson. Do a config backup before upgrade :-)

Reply