[SOLVED] Multi-WAN Broke IPSec VPN

Started by Adam.P, January 14, 2019, 05:00:01 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
January 30, 2019, 04:51:20 PM #15
Sorry it took so long to follow up on this. I don't see anything abnormal in the IPsec logs. I'm not sure how to read the packet captures, but here's a packet capture taken from the ipsec interface.

https://ufile.io/5ro7v

Please let me know if that's helpful or if there's any other info I can provide to get to the bottom of this. I'm stumped! Thanks in advance!
February 01, 2019, 02:01:43 PM #16
Anyone?
February 01, 2019, 11:41:37 PM #17
Maybe that packet capture wasn't too helpful. These might be better. Again, I don't know what I'm looking at in wireshark... any help is greatly appreciated!

(1) is where I pinged the gateway on the 120.0 subnet, which did not reply. Then I pinged the gateway on the 121.0 subnet, which did reply.

(2) is where I was attempting to browse to the gateway's web interface on the 120.0 subnet, then the 121.0 subnet.

https://ufile.io/px5r3
https://ufile.io/t6bem

February 01, 2019, 11:53:00 PM #18
Hello there,

The problem for me at least, I don't have a similar network to test this configuration, so I can't offer much help. Anyway, if you aren't getting any help here, try raising a Github issue instead.

Regards
February 02, 2019, 07:35:50 AM #19
I asked for Ipsec logs. If you can reach one of them it's only a small issue.

Screenshot Ipsec connection status
February 02, 2019, 09:43:52 PM #20
Quote from: mimugmail on February 02, 2019, 07:35:50 AM
I asked for Ipsec logs. If you can reach one of them it's only a small issue.

Screenshot Ipsec connection status

Here's the IPsec connection status page:
https://imgur.com/a/99sGa8c

Here is part of the ipsec logs:
https://ufile.io/c2wcr

I hope it's something super simple and stupid that I missed. Users in the 120.0 location can browse to the server shares in the 20.0 location, so connectivity is working one way. Thanks!
February 02, 2019, 10:42:20 PM #21
When you ping from 20 to 120 .. does the counter go up in ipsec status page?
February 02, 2019, 11:44:40 PM #22
Quote from: mimugmail on February 02, 2019, 10:42:20 PM
When you ping from 20 to 120 .. does the counter go up in ipsec status page?

It goes up a little whenever I refresh without pinging anything. I tried to tell if there was a difference while pinging, but it seemed the same... maybe the keep-alive is sending that traffic over the tunnel?
February 03, 2019, 02:27:07 AM #23
Screenshot where both counters are non zero plz
February 03, 2019, 04:43:47 AM #24
February 03, 2019, 07:11:24 AM #25
Go to console and type:

tcpdump -n -i enc0 net 10.128.120.0/24

Then restart the ping and post the output
February 04, 2019, 03:08:46 PM #26 Last Edit: February 04, 2019, 03:21:17 PM by Adam.P
Quote from: mimugmail on February 03, 2019, 07:11:24 AM
Go to console and type:

tcpdump -n -i enc0 net 10.128.120.0/24

Then restart the ping and post the output

Here's the output:

~ # tcpdump -n -i enc0 net 10.128.120.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144                                              bytes
09:06:47.724605 (authentic,confidential): SPI 0xcc3a2824: IP 10.128.120.194.5365                                             2 > 10.128.20.32.161:  GetRequest(63)  .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25                                             .3.5.1.1.1 .1.3.6.1.2.1.25.3.5.1.2.1
09:06:50.178783 (authentic,confidential): SPI 0xce0c18d7: IP 10.128.20.10 > 10.1                                             28.120.1: ICMP echo request, id 1, seq 534, length 40
09:06:54.931364 (authentic,confidential): SPI 0xce0c18d7: IP 10.128.20.10 > 10.128.120.1: ICMP echo request, id 1, seq 535, length 40
09:06:59.931996 (authentic,confidential): SPI 0xce0c18d7: IP 10.128.20.10 > 10.128.120.1: ICMP echo request, id 1, seq 536, length 40
09:07:04.928269 (authentic,confidential): SPI 0xce0c18d7: IP 10.128.20.10 > 10.128.120.1: ICMP echo request, id 1, seq 537, length 40

And here's the output with the verbose switch:
https://ufile.io/yqgwn

There's some other traffic in there before the ping packets...
February 04, 2019, 05:13:55 PM #27
This looks good, then problem is on other side ...
February 04, 2019, 08:13:20 PM #28
Quote from: mimugmail on February 04, 2019, 05:13:55 PM
This looks good, then problem is on other side ...

Since I cannot connect to the 120.0 subnet without getting on a computer in that location, I have scheduled some time with a user tomorrow morning. Any suggestions of what specifically I should look for/at?

Again, connections work one-way. Users on the 120.0 subnet can browse to the server shares on the 20.0 network. It seems like connections initiated from the 120.0 subnet can be routed back, but something is wrong where connections initiated from the 20.0 subnet are not routed to the VPN correctly.

Come to think of it, I don't see any reason why I shouldn't just enable WAN access to the router while I'm troubleshooting tomorrow. But again, I'd love some suggestions of what to look for. It's a very basic setup in that location. Single WAN with static IP, single LAN, no port forwards or anything... just a single ipsec vpn.
February 04, 2019, 09:14:08 PM #29
When packets from 20 to 120 are entering enc0 device the Firewall is good. If 120 can reach 20, everything good. But when 20 can't access 120 and packets going to enc0, you'll see something in ipsec log or dropped packets.
Print
Go Up Pages 1 2 3
User actions