01-22-2018 05:28 PM - edited 02-06-2018 07:23 AM
I have been trying to establish a Site-to-Site VPN with mixed results.
So far I managed to have a link working for a few days, but it goes offline each time my ISP changes my external IP (I used a FQDN updated through OVH's Dynhost to adopt the USG). The VPN indicator stays green in the dashboard although I can't connect to any of the device on the other site. I have to delete and configure it in order to have it working again.
Here is my setup :
⎡ WAN1 (PPPoE) - USG4 --- USW48 --- Unifi server 188.8.131.52 on Ubuntu (192.168.0.3/24)
⎜ ⎣ Server (VLAN 116 172.20.116.2/24)
Routes on both USGs (Network 172.20.116.0/24, Distance 15, Type Interface, Interface VPN)
⎣WAN1 (PPPoE) - USG3 --- Switch — Clients (192.168.2.0/24)
Here is a result of a ping from site 1 to site 2 :
PING 192.168.2.2 (192.168.2.2): 56 data bytes
92 bytes from routeura29 (192.168.0.1): Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 e107 0 0000 3f 01 16eb 192.168.0.100 192.168.2.2
And a traceroute :
traceroute to 192.168.2.2 (192.168.2.2), 64 hops max, 52 byte packets
1 routeura29 (192.168.0.1) 3.255 ms 0.817 ms 0.653 ms
2 routeura29 (192.168.0.1) 0.786 ms !H 2.966 ms !H 0.821 ms !H
Any idea would be greatly appreciated !
02-07-2018 03:18 AM
I'm still having the same problem, I have tried with and without static routes. What am I doing wrong ?
After a reconnection :
PING 192.168.2.2 (192.168.2.2): 56 data bytes 92 bytes from routeura29 (192.168.0.1): Destination Host Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 155a 0 0000 3f 01 e298 192.168.0.100 192.168.2.2
traceroute to 192.168.2.2 (192.168.2.2), 64 hops max, 52 byte packets 1 routeura29 (192.168.0.1) 4.517 ms 1.362 ms 2.129 ms 2 routeura29 (192.168.0.1) 0.801 ms !H 1.875 ms !H 0.786 ms !H
After deleting-creating the VPN :
traceroute to 192.168.2.2 (192.168.2.2), 64 hops max, 52 byte packets 1 routeura29 (192.168.0.1) 26.742 ms 3.847 ms 2.594 ms 2 10.255.254.2 (10.255.254.2) 15.376 ms 18.536 ms 12.635 ms 3 192.168.2.2 (192.168.2.2) 18.255 ms 13.247 ms 15.783 ms
Any help/idea/criticism ould be greatly appreciated
02-14-2018 02:14 PM
Right now the VPN keeps dropping every couple of days, randomly or when the ISP changes our IPs or when I try to add another VPN.
I think that my internet connections could be a source of my problems;
Both USG are managing the WAN through PPPoE, and I don’t think that the dynamic IPs are reported correctly to the controller. The dashboard isn’t displaying the WAN IP but the DynDNS is kept updated and I can see it the WAN IP in the USG's status.
Here are the interfaces on the main USG :
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 192.168.0.1/24 u/u eth0.116 172.20.116.1/24 u/u eth0.117 172.20.117.1/24 u/u eth0.200 10.200.1.1/20 u/u eth1 - A/D eth2 - u/u eth3 - A/D lo 127.0.0.1/8 u/u ::1/128 pppoe0 184.108.40.206 u/u vti0 10.255.254.1/32 u/u
Here are some informations that may be useful:
show vpn remote-access :
No active remote access VPN sessions
show vpn ipsec sa :
peer-220.127.116.11-tunnel-vti: #2, ESTABLISHED, IKEv1, b4c55089839015d8:7a0677aae23ccf81 local '18.104.22.168' @ 22.214.171.124 remote '126.96.36.199' @ 188.8.131.52 AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 established 3935s ago, reauth in 23883s peer-184.108.40.206-tunnel-vti: #1, REKEYING, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_2048 installed 3289 ago, rekeying in -521s, expires in 313s in c394f813, 231840 bytes, 2760 packets, 1s ago out c1b2a7f0, 232092 bytes, 2763 packets, 1s ago local 0.0.0.0/0 remote 0.0.0.0/0 peer-220.127.116.11-tunnel-vti: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_2048 installed 521 ago, rekeying in 2241s, expires in 3079s in c1fc130a, 43512 bytes, 518 packets, 1s ago out cd158393, 43680 bytes, 520 packets, 1s ago local 0.0.0.0/0 remote 0.0.0.0/0
show ip route :
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] is directly connected, pppoe0 C>* 10.200.0.0/20 is directly connected, eth0.200 C>* 10.255.254.1/32 is directly connected, vti0 C>* 127.0.0.0/8 is directly connected, lo C>* 172.20.116.0/24 is directly connected, eth0.116 C>* 172.20.117.0/24 is directly connected, eth0.117 C>* 192.168.0.0/24 is directly connected, eth0 S>* 192.168.2.0/24 [30/0] is directly connected, vti0 C>* 18.104.22.168/32 is directly connected, pppoe0
Strange... show vpn :
I would like to keep using auto-VPN as my IPs are renewed every couple of days.
02-14-2018 05:07 PM
I've experienced the same issue.
AutoVPN is quite buggy, unfortunately. I used to think that it would be fixed very fast being such an important feature, but it's been more than 6 months since I embarked on Unifi and still no fix in sight.
What I do now is to run all VPN software from x86 Linux virtual machines behind the USG. Since I did that, my problems vanished and I was back with very solid VPN linking our branch offices.