Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
IPSec VPN Problems
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec VPN Problems (Read 5304 times)
lordwarlock
Newbie
Posts: 11
Karma: 0
IPSec VPN Problems
«
on:
May 02, 2017, 12:58:35 pm »
Hello,
i got still Problems with a IPSec Site-2-Site Tunnel:
the Setup:
Windows Server A <- LAN Connection -> OPN-Sense <-IPsec Tunnel-> ZyXEL USG Firewall <- LAN Connection -> Windows Server B
The description of the problem:
The Windows Servers can Ping each others.
when i copy Files from Server A to Server B over SMB, the Copy-Jobs aboards
when i copy Files from Server A initiated by Server B, the Copy-Job works
can anyone help me?
Logged
pbolduc
Newbie
Posts: 42
Karma: 4
Re: IPSec VPN Problems
«
Reply #1 on:
May 10, 2017, 11:27:52 pm »
Do you happen to have Multi-WAN ports\HA load balancing configured at Site A on the OPNSense box?
When you ping between both servers, try doing a ping test to test for packet fragmentation through the VPN
Example from Site 1: ping server2 -l 1500
Example from Site 2: ping server1 -l 1500
Inspect your MTU on your WAN port of each router to see what your MTU is set at. In the examples above I used 1500 bytes. The default MTU of OPNSense WAN port is 1500 bytes. Ensure you're not getting packet fragmentation through the VPN tunnel during your ping tests.
I am going to assume each side of the VPN has a different subnet:
Example Site 1: 192.168.1.X /24
Example Site 2: 192.168.2.X /24
If it happens to be a restrictive firewall policy through the IPSec tunnel to the Zyxel, the network ports I normally pass for File & Printer Sharing are: TCP/UDP: 135,137,138,139,445.
«
Last Edit: May 11, 2017, 06:09:06 pm by pbolduc
»
Logged
Arakangel Michael
Newbie
Posts: 25
Karma: 1
A Noise Like That of A Multitude
Re: IPSec VPN Problems
«
Reply #2 on:
May 11, 2017, 04:30:03 am »
If that directionality always holds, and is reproducible I would suspect the stateful firewall rules, or security services on the Zyxel.
You can also check the rekey intervals for Phase 1 / Phase 2 proposals on both sides. Some vendors implement rekeying for amount of data sent (Cisco), as well as time (which is standard). I haven't used Zyxel so I don't know.
I would try telneting to an open port on either box, from either box, and see if the session stays open. You may have to install this in windows: Start > Run > appwiz.cpl > 'Turn windows features on or off' > (Scroll down) Check 'Telnet Client' > 'OK' button
RDP works very well for telneting: 'telnet <server a> 3389' (assuming its open on the firewall in the server), and allowed from system properties (sysdm.cpl) under the 'Remote' tab.
Try a very small file, try an encrypted file (that can't be inspected).
SMB requires multiple ports
You can also try FTP
Typically I will install a Filezilla FTP server, and use a limited user account (removing it even from the 'users' group), and limiting that 'user' to Guest status, and granting 'logon as a service' rights (gpedit.msc), and whatever folder access (NTFS permissions) that it needs.
I always liked Filezilla, but more recent versions tend to have junkware as well.
Lastly you can also try after rebooting both firewalls (after the tunnel just came up).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
IPSec VPN Problems