OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: lordwarlock on May 02, 2017, 12:58:35 pm

Title: IPSec VPN Problems
Post by: lordwarlock on May 02, 2017, 12:58:35 pm
Hello,

i got still Problems with a IPSec Site-2-Site Tunnel:

the Setup:

Windows Server A <- LAN Connection -> OPN-Sense <-IPsec Tunnel-> ZyXEL USG Firewall <- LAN Connection -> Windows Server B

The description of the problem:
The Windows Servers can Ping each others.
when i copy Files from Server A to Server B over SMB, the Copy-Jobs aboards
when i copy Files from Server A initiated by Server B, the Copy-Job works

can anyone help me?
Title: Re: IPSec VPN Problems
Post by: pbolduc on May 10, 2017, 11:27:52 pm
Do you happen to have Multi-WAN ports\HA load balancing configured at Site A on the OPNSense box?

When you ping between both servers, try doing a ping test to test for packet fragmentation through the VPN

Example from Site 1: ping server2 -l 1500
Example from Site 2: ping server1 -l 1500

Inspect your MTU on your WAN port of each router to see what your MTU is set at. In the examples above I used 1500 bytes. The default MTU of OPNSense WAN port is 1500 bytes. Ensure you're not getting packet fragmentation through the VPN tunnel during your ping tests.

I am going to assume each side of the VPN has a different subnet:
Example Site 1: 192.168.1.X  /24
Example Site 2: 192.168.2.X /24

If it happens to be a restrictive firewall policy through the IPSec tunnel to the Zyxel, the network ports I normally pass for File & Printer Sharing are: TCP/UDP: 135,137,138,139,445.
Title: Re: IPSec VPN Problems
Post by: With Wings on May 11, 2017, 04:30:03 am
If that directionality always holds, and is reproducible I would suspect the stateful firewall rules, or security services on the Zyxel.

You can also check the rekey intervals for Phase 1 / Phase 2 proposals on both sides. Some vendors implement rekeying for amount of data sent (Cisco), as well as time (which is standard). I haven't used Zyxel so I don't know.

I would try telneting to an open port on either box, from either box, and see if the session stays open. You may have to install this in windows: Start > Run > appwiz.cpl > 'Turn windows features on or off' > (Scroll down) Check 'Telnet Client' > 'OK' button
RDP works very well for telneting: 'telnet <server a> 3389' (assuming its open on the firewall in the server), and allowed from system properties (sysdm.cpl) under the 'Remote' tab.
Try a very small file, try an encrypted file (that can't be inspected).
SMB requires multiple ports
You can also try FTP

Typically I will install a Filezilla FTP server, and use a limited user account (removing it even from the 'users' group), and limiting that 'user' to Guest status, and granting 'logon as a service' rights (gpedit.msc), and whatever folder access (NTFS permissions) that it needs.

I always liked Filezilla, but more recent versions tend to have junkware as well.

Lastly you can also try after rebooting both firewalls (after the tunnel just came up).