Reply
New Member
Posts: 8
Registered: ‎08-01-2018
Kudos: 1
Solutions: 1
Accepted Solution

Remote vpn users and site-to-site external server

Hey,

 

I am using an USG 4.4.29, on which i have setup an IPsec VPN tunnel to our external server (10.231.13.0/24), which is accesible from our LAN (192.168.101.0/24). Furthermore i have setup a Remote User L2TP VPN (192.168.102.0/24), which is also connection and letting me access resources on the LAN. However, i am unable to access the external server from the VPN connection. I have read all the posts with similar setups and tried everything i can think of and cant get i to work. Would appreciate all the help i could get.

 

@UBNT-jaffe You seem to be an expert on the subject, maybe you have some input? 


Accepted Solutions
New Member
Posts: 8
Registered: ‎08-01-2018
Kudos: 1
Solutions: 1

Re: Remote vpn users and site-to-site external server

To whom it may concern:

 

The problem was solved by adding the VPN subnet to the IPsec tunnel, as desribed by @UBNT-jaffe in a previous post (thank you!).

 

The following firewall rules were added to allow communication across the network and setting up the USG with a RADIUS server on the 10.231.13.0/24 network.

 

{
        "firewall": {
                "name": {
                        "LAN_IN": {
                                "default-action": "accept",
                                "description": "packets from intranet",
                                "rule": {
                                        "6002": {
                                                "action": "accept",
                                                "description": "accounting defined network 10.231.13.0/24",
                                                "source": {
                                                        "address": "10.231.13.0/24"
                                                }
                                        },
                                        "6003": {
                                                "action": "accept",
                                                "description": "accounting defined network 192.168.101.128/25",
                                                "source": {
                                                        "address": "192.168.101.128/25"
                                                }
                                        }
                                }
                        },
                        "LAN_OUT": {
                                "default-action": "accept",
                                "description": "packets forward to intranet",
                                "rule": {
                                        "6002": {
                                                "action": "accept",
                                                "description": "accounting defined network 10.231.13.0/24",
                                                "destination": {
                                                        "address": "10.231.13.0/24"
                                                }
                                        },
                                        "6003": {
                                                "action": "accept",
                                                "description": "accounting defined network 192.168.101.128/25",
                                                "destination": {
                                                        "address": "192.168.101.128/25"
                                                }
                                        }
                                }
                        },
                        "WAN_LOCAL": {
                                "default-action": "drop",
                                "description": "packets from internet to gateway",
                                "rule": {
                                        "2000": {
                                                "action": "accept",
                                                "description": "Allow VPN",
                                                "destination": {
                                                        "address": "192.168.101.0/24"
                                                },
                                                "ipsec": {
                                                        "match-ipsec": "''"
                                                },
                                                "protocol": "all",
                                                "source": {
                                                        "address": "10.231.13.0/24"
                                                }
                                        }
                                }
                        }
                }
        },
        "vpn": {
                "ipsec": {
                        "site-to-site": {
                                "peer": {
                                        "94.18.238.196": {
                                                "tunnel": {
                                                        "1": {
                                                                "allow-nat-networks": "disable",
                                                                "allow-public-networks": "disable",
                                                                "esp-group": "ESP_94.18.238.196",
                                                                "local": {
                                                                        "prefix": "192.168.101.128/25"
                                                                },
                                                                "remote": {
                                                                        "prefix": "10.231.13.0/24"
                                                                }
                                                        }
                                                }
                                        }
                                }
                        }
                }
        }
}

 

View solution in original post


All Replies
Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Remote vpn users and site-to-site external server

Hey there! I've done a lot of research in cases like these, which mostly relate to multi-wan, but it seems you only have a single WAN enabled. The difference in your setup vs a working setup seems to be a policy based s2s VPN vs a route based VPN. Route-based will use a virtual tunnel interface, or VTI, to route VPN traffic, where as your policy based VPN uses security policy database, or SPD's, to route traffic.

It looks like you have the correct phase 2 setup there with your local prefix being the subnet of your L2TP client pool, so it must not be matching somehow... Can you try changing your S2S to route based (VTI) and see if that makes a difference? If you used the GUI to configure it, in the VPN advanced options, you would check the box that says "enable dynamic routing". Keep in mind this "might" bring your VPN down, so do it during a maintenance period if this is a production site.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 8
Registered: ‎08-01-2018
Kudos: 1
Solutions: 1

Re: Remote vpn users and site-to-site external server

Hey Jaffe, thanks for your reply, yeah we are only using one WAN  

 

I actually attempted the dynamic routing option earlier today and it broke the connection to the remote server  

New Member
Posts: 8
Registered: ‎08-01-2018
Kudos: 1
Solutions: 1

Re: Remote vpn users and site-to-site external server

[ Edited ]

Just spoke to the provider of our server solution (10.231.13.0/24), it turns out that they limit the remote access to a single subnet (192.168.101.0/24), meaning that my vpn (192.168.102.0/24) got blocked remotely.

 

I got around this by reducing my LAN to 192.168.101.0/25 and my VPN to 192.168.101.129/25 and added the x.x.x.129/25 to my IPsec tunnel.

 

I am now able to access my remote server!!!! 

 

But for some reason i am now not able to access anything on the LAN from my VPN (which worked fine before??).Any suggestions? 

 

 

Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Remote vpn users and site-to-site external server

Ah makes complete sense, since it's a policy based VPN I should have asked you to provide the entire phase 2 config of the remote side, as if they didn't have 192.168.102.0/24 configured as a "remote subnet", it would accept incoming traffic.

Your workaround looks good so long as your main LAN / VPN clients don't exceed 127-128 concurrent clients!

The problem now is most likely that your VPN clients are sending traffic out their default gateway rather than the VPN adapter. What clients are you connecting via L2TP VPN? Do they have "send all traffic via VPN" checked? If not, we'll need to see the client routing table to and determine the behavior of the VPN tunnel adapter (specific to the OS).

Just note, the 192.168.101.129/25 shouldn't be the "directly connected" route on your VPN client, it should most likely add 192.168.101.0/24 and have an interface route pointing out the L2TP adapter... If it does work like this, your traffic from VPN to LAN should be working.

Also, if you can attempt to send traffic from your VPN client to your LAN, then SSH to the USG and type:

show vpn remote-access
sudo ifconfig l2tp0

And post the results. Thanks!

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 8
Registered: ‎08-01-2018
Kudos: 1
Solutions: 1

Re: Remote vpn users and site-to-site external server

[ Edited ]

We are a small firm, so should be no where near 128 clients, so we are good there.

 

We are using manly windows based equipment and have checked the "Use default gateway on remote network". That should be sufficient to send all traffic across the VPN, right? 

 

show vpn remote-access 

User       Time      Proto Iface   Remote IP       TX pkt/byte   RX pkt/byte
---------- --------- ----- -----   --------------- ------ ------ ------ ------
nphk       00h29m10s L2TP  l2tp0   192.168.101.129  8.1K   3.1M  12.5K   1.9M

sudo ifconfig l2tp

l2tp0     Link encap:Point-to-Point Protocol
          inet addr:10.255.255.0  P-t-P:192.168.101.129  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:7236 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4253 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1085463 (1.0 MiB)  TX bytes:1596371 (1.5 MiB)

  route print (Win10 machine)

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.2.24.1        10.2.25.1   4270
          0.0.0.0          0.0.0.0         On-link   192.168.101.129     26
       5.57.49.77  255.255.255.255        10.2.24.1        10.2.25.1   4271
        10.2.24.0    255.255.252.0         On-link         10.2.25.1   4526
        10.2.25.1  255.255.255.255         On-link         10.2.25.1   4526
      10.2.27.255  255.255.255.255         On-link         10.2.25.1   4526
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4556
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4556
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4556
  192.168.101.129  255.255.255.255         On-link   192.168.101.129    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4556
        224.0.0.0        240.0.0.0         On-link         10.2.25.1   4526
        224.0.0.0        240.0.0.0         On-link   192.168.101.129     26
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4556
  255.255.255.255  255.255.255.255         On-link         10.2.25.1   4526
  255.255.255.255  255.255.255.255         On-link   192.168.101.129    281
===========================================================================
Persistent Routes:
  None

  I tried "route add 192.168.101.0/24 192.168.101.1 -p", didnt solve the problem.

 

But using Advanced IP scanner i noticed that i am actually able to ping some machines on the LAN (???). I attached the IP scan results of 192.168.101.1-254 connected to the LAN and to the VPN. 

 

LAN 

IP_LAN.png

VPN

IP_VPN.png

New Member
Posts: 8
Registered: ‎08-01-2018
Kudos: 1
Solutions: 1

Re: Remote vpn users and site-to-site external server

[ Edited ]

Well, my reply got marked as spam and removed. 

 

Anyway, it turned out that there were only some machines that i couldnt ping (always use our printer to test). These were the machines that had a static IP confgured, meaning that there was a subnet mask conflict after i changed from /24 to /25 on the LAN that prevented the pings. These are now corrected and everything is working as expected. 

 

Now my only problem is that i cant ping my USG (192.168.101.1) from the remote network (10.231.13.0/24) which is hosting my RADIUS server(192.168.101.2) to autheticate my VPN users. I can ping the USG from LAN and VPN. 

 

EDIT: I can ping all other 192.168.101.x IP adresses from the 10.231.13.0/24

New Member
Posts: 8
Registered: ‎08-01-2018
Kudos: 1
Solutions: 1

Re: Remote vpn users and site-to-site external server

To whom it may concern:

 

The problem was solved by adding the VPN subnet to the IPsec tunnel, as desribed by @UBNT-jaffe in a previous post (thank you!).

 

The following firewall rules were added to allow communication across the network and setting up the USG with a RADIUS server on the 10.231.13.0/24 network.

 

{
        "firewall": {
                "name": {
                        "LAN_IN": {
                                "default-action": "accept",
                                "description": "packets from intranet",
                                "rule": {
                                        "6002": {
                                                "action": "accept",
                                                "description": "accounting defined network 10.231.13.0/24",
                                                "source": {
                                                        "address": "10.231.13.0/24"
                                                }
                                        },
                                        "6003": {
                                                "action": "accept",
                                                "description": "accounting defined network 192.168.101.128/25",
                                                "source": {
                                                        "address": "192.168.101.128/25"
                                                }
                                        }
                                }
                        },
                        "LAN_OUT": {
                                "default-action": "accept",
                                "description": "packets forward to intranet",
                                "rule": {
                                        "6002": {
                                                "action": "accept",
                                                "description": "accounting defined network 10.231.13.0/24",
                                                "destination": {
                                                        "address": "10.231.13.0/24"
                                                }
                                        },
                                        "6003": {
                                                "action": "accept",
                                                "description": "accounting defined network 192.168.101.128/25",
                                                "destination": {
                                                        "address": "192.168.101.128/25"
                                                }
                                        }
                                }
                        },
                        "WAN_LOCAL": {
                                "default-action": "drop",
                                "description": "packets from internet to gateway",
                                "rule": {
                                        "2000": {
                                                "action": "accept",
                                                "description": "Allow VPN",
                                                "destination": {
                                                        "address": "192.168.101.0/24"
                                                },
                                                "ipsec": {
                                                        "match-ipsec": "''"
                                                },
                                                "protocol": "all",
                                                "source": {
                                                        "address": "10.231.13.0/24"
                                                }
                                        }
                                }
                        }
                }
        },
        "vpn": {
                "ipsec": {
                        "site-to-site": {
                                "peer": {
                                        "94.18.238.196": {
                                                "tunnel": {
                                                        "1": {
                                                                "allow-nat-networks": "disable",
                                                                "allow-public-networks": "disable",
                                                                "esp-group": "ESP_94.18.238.196",
                                                                "local": {
                                                                        "prefix": "192.168.101.128/25"
                                                                },
                                                                "remote": {
                                                                        "prefix": "10.231.13.0/24"
                                                                }
                                                        }
                                                }
                                        }
                                }
                        }
                }
        }
}

 

Ubiquiti Employee
Posts: 1,226
Registered: ‎02-28-2017
Kudos: 366
Solutions: 121

Re: Remote vpn users and site-to-site external server

@NielsPHK It's interesting that you needed that WAN_LOCAL rule in place, with policy-based VPN's, the "auto firewall nat exclude enable" setting you'll see in your USG config (show vpn ipsec) does a lot of underlying things in IP tables that accepts traffic (accepts UDP 500/4500, ESP, and all of your phase 2 subnets). 

It's interesting that you only have only the following subnet defined:

"local": {
                                                                        "prefix": "192.168.101.128/25"
                                                                },
                                                                "remote": {
                                                                        "prefix": "10.231.13.0/24"

 However, I'm guessing this is your config.gateway.json, and you default config has 192.168.101.0/25 defined as a local prefix, this is because your USG LAN address is 192.168.101.1, and that IP has to fall in the phase 2 subnets in order to be allowed in IPtables.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Highlighted
New Member
Posts: 8
Registered: ‎08-01-2018
Kudos: 1
Solutions: 1

Re: Remote vpn users and site-to-site external server

@UBNT-jaffe i completly agree, although i have suspected the firewall as the source of my problems many times, it has never turned out to be the culprit. The USG has been excellent about automatically defining these. I found the solution in an older thread where UBNT-stig had given examples to solve the issue. 

 

Yeah you are right, this is just my config.gateway.json, my full config has the 192.168.101.0/25 defined as well.

 

"site-to-site": {
                                "peer": {
                                        "94.18.238.196": {
                                                "authentication": {
                                                        "mode": "pre-shared-secret",
                                                        "pre-shared-secret": "X"
                                                },
                                                "connection-type": "initiate",
                                                "ike-group": "IKE_94.18.238.196",
                                                "local-address": "5.57.49.77",
                                                "tunnel": {
                                                        "0": {
                                                                "esp-group": "ESP_94.18.238.196",
                                                                "local": {
                                                                        "prefix": "192.168.101.0/25"
                                                                },
                                                                "remote": {
                                                                        "prefix": "10.231.13.0/24"
                                                                }
                                                        },
                                                        "1": {
                                                                "allow-nat-networks": "disable",
                                                                "allow-public-networks": "disable",
                                                                "esp-group": "ESP_94.18.238.196",
                                                                "local": {
                                                                        "prefix": "192.168.101.128/25"
                                                                },
                                                                "remote": {
                                                                        "prefix": "10.231.13.0/24"
                                                                }
                                                        }
                                                }
                                        }
                                }
                        }

 

I have attached the full config if anyone is interested in my setup.

 

Thanks so much for the help! Greatly appreciated! 

Reply