Reply
New Member
Posts: 35
Registered: ‎12-22-2015
Kudos: 1

route-based-vpn connects but no traffic than ping

Hi,

 

previously I've used the policy based vpn (ipsec), setup via the gui between two Edgemax-Routers.

 

Today I've deleted theses peers and created a route based vpn between the same peers.

I've done it like ubnt has described here: https://help.ubnt.com/hc/en-us/articles/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN

 

The VPN gets up and I can ping the other network from my edgemax router. Traceroute shows the "right" trace.

If I try to ssh to one computer at the other network it times out.

 

If I try to ping from a pc from one side to the Edgemax on the other Side it works. 

If I try to ping from a pc from one side to the a PC on the other Side it times out.

 

So do I need to create some addition firewall roules?

 

At the Policy Based VPN I don't have to create them manually, but the route-based-vpn is manually created via the CLI.

So which policies do I need?

 

Regards Mark

SuperUser
Posts: 8,180
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: route-based-vpn connects but no traffic than ping

Without seeing the configs, everything could be ... Man Happy
Cheers,
jonatha

New Member
Posts: 35
Registered: ‎12-22-2015
Kudos: 1

Re: route-based-vpn connects but no traffic than ping

Here is the config from the Left Side:

 

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec ike-group FOO0 lifetime 28800

set vpn ipsec ike-group FOO0 proposal 1 dh-group 14

set vpn ipsec ike-group FOO0 proposal 1 encryption aes128

set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec esp-group FOO0 lifetime 3600

set vpn ipsec esp-group FOO0 pfs enable

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128

set vpn ipsec esp-group FOO0 proposal 1 hash sha1

 

set vpn ipsec site-to-site peer x.x.x.x authentication mode pre-shared-secret

set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret mySecret

set vpn ipsec site-to-site peer x.x.x.x description Right

set vpn ipsec site-to-site peer x.x.x.x local-address x.x.x.x

 

set vpn ipsec site-to-site peer x.x.x.x ike-group FOO0

set vpn ipsec site-to-site peer x.x.x.x vti bind vti0

set vpn ipsec site-to-site peer x.x.x.x vti esp-group FOO0

 

set vpn ipsec site-to-site peer x.x.x.x authentication id x.x.x.x

set interfaces vti vti0 address 10.255.12.1/30

set protocols static interface-route y.y.y.0/24 next-hop-interface vti0

commit; save; exit;

 

 

The Right Side:

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec ike-group FOO0 lifetime 28800

set vpn ipsec ike-group FOO0 proposal 1 dh-group 14

set vpn ipsec ike-group FOO0 proposal 1 encryption aes128

set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec esp-group FOO0 lifetime 3600

set vpn ipsec esp-group FOO0 pfs enable

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128

set vpn ipsec esp-group FOO0 proposal 1 hash sha1

 

set vpn ipsec site-to-site peer x.x.x.x authentication mode pre-shared-secret

set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret IbkmHIr.

set vpn ipsec site-to-site peer x.x.x.x description Left

set vpn ipsec site-to-site peer x.x.x.x local-address x.x.x.x

set vpn ipsec site-to-site peer x.x.x.x ike-group FOO0

set vpn ipsec site-to-site peer x.x.x.x vti bind vti0

set vpn ipsec site-to-site peer x.x.x.x vti esp-group FOO0

set interfaces vti vti0 address 10.255.12.2/30

set protocols static interface-route x.x.x.0/24 next-hop-interface vti0

 

 

 

I hope this will help

 

Mark

Member
Posts: 148
Registered: ‎02-23-2012
Kudos: 74
Solutions: 4

Re: route-based-vpn connects but no traffic than ping

[ Edited ]

What did you actually type in for the static routes? 

 

Edit: I can see that you said traceroute works, so it's not that. Can you packet capture on one side and do your ping?

Veteran Member
Posts: 7,610
Registered: ‎03-24-2016
Kudos: 1979
Solutions: 871

Re: route-based-vpn connects but no traffic than ping

You should post firewall config (or better, entire config)

 

Play around with tcpdump , while connecting to ssh.   Maybe remote host has internal firewall or lacks a route

Ubiquiti Employee
Posts: 2,644
Registered: ‎05-08-2017
Kudos: 463
Solutions: 384

Re: route-based-vpn connects but no traffic than ping

Hi @mgosx,

 

It sounds like there is a problem with the TCP traffic over the VPN. Can you try lowering the TCP MSS value for the VTI interfaces on both routers?

 

The commands are:

 

configure
set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1350
commit ; save

 

Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 35
Registered: ‎12-22-2015
Kudos: 1

Re: route-based-vpn connects but no traffic than ping

Thanks for the hints,

I will test it this weekend.

 

Wednesday I was in time pressure. Like that I could have made a the configuration error.

To get it running till Thursday morning I've gone back to my policy based vpn.

 

But I will try it this weekend.

 

Best regards

 

Mark

New Member
Posts: 35
Registered: ‎12-22-2015
Kudos: 1

Re: route-based-vpn connects but no traffic than ping

Finally I found the error.

 

Site A uses an ip-subnet which was not in the private network group of Site B.

Like that Site A could reach Site B and the routing was fine.

 

But Site B always routed the traffic via the default route to the internet.

 

 

After putting the network A into the private Net group of Site B everything works fine.

 

 

Best Regards Mark

 

 

 

Ubiquiti Employee
Posts: 2,644
Registered: ‎05-08-2017
Kudos: 463
Solutions: 384

Re: route-based-vpn connects but no traffic than ping

Hi Mark,

 

Thanks for reporting the results back to us. Glad that you were able to get it working.

 

Ben

 


 

Ben Pin | Ubiquiti Support

Reply