OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: lordwarlock on May 02, 2017, 12:58:35 pm
-
Hello,
i got still Problems with a IPSec Site-2-Site Tunnel:
the Setup:
Windows Server A <- LAN Connection -> OPN-Sense <-IPsec Tunnel-> ZyXEL USG Firewall <- LAN Connection -> Windows Server B
The description of the problem:
The Windows Servers can Ping each others.
when i copy Files from Server A to Server B over SMB, the Copy-Jobs aboards
when i copy Files from Server A initiated by Server B, the Copy-Job works
can anyone help me?
-
Do you happen to have Multi-WAN ports\HA load balancing configured at Site A on the OPNSense box?
When you ping between both servers, try doing a ping test to test for packet fragmentation through the VPN
Example from Site 1: ping server2 -l 1500
Example from Site 2: ping server1 -l 1500
Inspect your MTU on your WAN port of each router to see what your MTU is set at. In the examples above I used 1500 bytes. The default MTU of OPNSense WAN port is 1500 bytes. Ensure you're not getting packet fragmentation through the VPN tunnel during your ping tests.
I am going to assume each side of the VPN has a different subnet:
Example Site 1: 192.168.1.X /24
Example Site 2: 192.168.2.X /24
If it happens to be a restrictive firewall policy through the IPSec tunnel to the Zyxel, the network ports I normally pass for File & Printer Sharing are: TCP/UDP: 135,137,138,139,445.
-
If that directionality always holds, and is reproducible I would suspect the stateful firewall rules, or security services on the Zyxel.
You can also check the rekey intervals for Phase 1 / Phase 2 proposals on both sides. Some vendors implement rekeying for amount of data sent (Cisco), as well as time (which is standard). I haven't used Zyxel so I don't know.
I would try telneting to an open port on either box, from either box, and see if the session stays open. You may have to install this in windows: Start > Run > appwiz.cpl > 'Turn windows features on or off' > (Scroll down) Check 'Telnet Client' > 'OK' button
RDP works very well for telneting: 'telnet <server a> 3389' (assuming its open on the firewall in the server), and allowed from system properties (sysdm.cpl) under the 'Remote' tab.
Try a very small file, try an encrypted file (that can't be inspected).
SMB requires multiple ports
You can also try FTP
Typically I will install a Filezilla FTP server, and use a limited user account (removing it even from the 'users' group), and limiting that 'user' to Guest status, and granting 'logon as a service' rights (gpedit.msc), and whatever folder access (NTFS permissions) that it needs.
I always liked Filezilla, but more recent versions tend to have junkware as well.
Lastly you can also try after rebooting both firewalls (after the tunnel just came up).