VPN communication through ERX to different subnet
-
I've just setup a site to site VPN from my ERX to an Azure LAN. Communication is working properly. However, I need to be able to also remotely connect to the Azure LAN from a remote VPN client through the ERX LAN. In other words, when a user connects to the ERX LAN from home, I need them to be able to access local ERX LAN resources (working) as well as browse to the machines in the Azure LAN.(Not working)
Details:
- Site to site VPN connection between an ERX LAN (10.0.0.0/24) and Azure LAN.(172.16.2.0/28)
- IPSEC server on the ERX handing out client IPs of 10.0.1.1 to 10.0.1.10
As a client, when remotely connecting to the ERX VPN server, I can successfully ping everything on the local ERX LAN. (10.0.0.0/24)
However, when pinging to the Azure LAN(172.16.2.0/28) from the remote client, no traffic is passing.What is the best way to set up the ERX to allow this traffic to pass from the remote client, through the ERX, to the Azure LAN via the IPSEC tunnel?
-
You have to tell Azure where to route packets for 10.0.1.0/24
As far as it is concerned that subnet is not part of the VPN.
-
So your ERL to Azure VPN will have two subnets.
-
So I should add another config line like this in the ERX?
set vpn ipsec site-to-site peer AZURE IP tunnel 100 local prefix 10.0.1.0/24 ?Current one is: set vpn ipsec site-to-site peer AZURE IP tunnel 100 local prefix 10.0.0.0/24
-
@fuznutz04 said in VPN communication through ERX to different subnet:
So I should add another config line like this in the ERX?
set vpn ipsec site-to-site peer AZURE IP tunnel 100 local prefix 10.0.1.0/24 ?Current one is: set vpn ipsec site-to-site peer AZURE IP tunnel 100 local prefix 10.0.0.0/24
New tunnel.
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 esp-group FOO3 set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 local prefix 10.254.103.0/24 set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 remote prefix 10.201.1.0/24 set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 2 allow-nat-networks disable set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 2 allow-public-networks disable set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 2 esp-group FOO3 set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 2 local prefix 10.254.103.0/24 set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 2 remote prefix 10.201.5.0/24 -
So in attempting to do that, I seemed to have broken the first tunnel. I reverted back to just my old config by deleting the additional tunnel commands and restarting vpn services. The tunnel appears to be up, but no no traffic is flowing. I have this lingering feeling that a reboot of the ERX would fix it, but cant restart it at the moment.
-
@fuznutz04
Linux ubnt 3.10.20-UBNT #1 SMP Fri Jul 29 16:51:50 PDT 2016 mips64 Welcome to EdgeOS Last login: Mon Aug 29 11:34:35 2016 from dt-jared jbusch@jared:~$ sudo ipsec restart Stopping strongSwan IPsec... Starting strongSwan 5.2.2 IPsec [starter]... jbusch@jared:~$ -
did you add the route to Azure that JB mentioned?
-
@JaredBusch Unfortunately, that didn't work. But now I have another command for the toolbox. so thanks!
Additionally, after a reboot, the tunnel comes back up, but still not pinging. So basically, I broke the existing tunnel and although the tunnel comes up, no communication.
The below is the exact configuration that I backed up right before I started making changes today.
set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec disable-uniqreqids set vpn ipsec esp-group esp-azure compression disable set vpn ipsec esp-group esp-azure lifetime 3600 set vpn ipsec esp-group esp-azure mode tunnel set vpn ipsec esp-group esp-azure pfs disable set vpn ipsec esp-group esp-azure proposal 1 encryption aes256 set vpn ipsec esp-group esp-azure proposal 1 hash sha1 set vpn ipsec ike-group ike-azure ikev2-reauth no set vpn ipsec ike-group ike-azure key-exchange ikev2 set vpn ipsec ike-group ike-azure lifetime 28800 set vpn ipsec ike-group ike-azure proposal 1 dh-group 2 set vpn ipsec ike-group ike-azure proposal 1 encryption aes256 set vpn ipsec ike-group ike-azure proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn ipsec nat-traversal enable set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode pre-shared-secret set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret blahblah set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type initiate set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx default-esp-group esp-azure set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ike-azure set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth inherit set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address xxx.xxx.xxx.xxx set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 allow-nat-networks disable set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 allow-public-networks disable set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 esp-group esp-azure set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 local prefix 10.0.0.0/24 set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 protocol all set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 remote prefix 172.16.2.0/24My local net is 10.0.0.0/24
My server in Azure is on the 172.16.2.0/24 network. -
Can you show us the route commands both in Azure and the ERX?
-
@Dashrender I didnt' setup any specific routes in Azure previously. I just started playing with Azure not long ago, so I'm not even sure where to show any existing routes. As far as the ERX routes, if I do a "show IP route table all", one of the routes pertains to my Azure network:
show ip route table all 172.16.2.0/28 via PUBLIC.IP dev eth0 table 220 proto static src 10.0.0.1 default via PUBLIC.IP dev eth0 proto zebra -
Progress... So deleting the entire tunnel from the ERX completely, as well as removing the gateway/public IP from Azure, and then re-creating a new one, with a new IP, solved the issue. As soon as the tunnel was created, traffic started flowing. Feels like something was either "stuck" on the ERX with the old config, or it was something on the Azure side.
In any case, now I'll attempt to create another tunnel to solve the original problem in the OP.
-
How do you tell Azure to send traffic destined for the other side of the VPN to the gateway in question?
-
There are no specific "rules" that I set in Azure for traffic flow. I can tell you how I set it up though. I'll outline it below but plan on doing a write up guide here on the site for others.
Basic step:
- Created a local Vnet for your on premise network. This is where you supply your public IP of your on premise device (in my case, the ERX) as well as the local network prefix. (in my case, 10.0.0.0/24)
- Created a Vnet in Azure with address space of 172.16.0.0/16
- Created a Subnet within that Vnet for my servers with an address space of 172.16.2.0/24
- Created a "Gateway Subnet" within the Vnet. This is required for the next step, and the name must not be changed.
- Create a Virtual Network Gateway. Type is VPN, and choose Route Based. Choose to create a new public IP. This step takes nearly an hour.
- Once completed, you go into that Virtual Network Gateway and create an IPSEC connection to your local Vnet from step 1.
- Then on your ERX, you configure it using the config below:
set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec disable-uniqreqids set vpn ipsec esp-group esp-azure compression disable set vpn ipsec esp-group esp-azure lifetime 3600 set vpn ipsec esp-group esp-azure mode tunnel set vpn ipsec esp-group esp-azure pfs disable set vpn ipsec esp-group esp-azure proposal 1 encryption aes256 set vpn ipsec esp-group esp-azure proposal 1 hash sha1 set vpn ipsec ike-group ike-azure ikev2-reauth no set vpn ipsec ike-group ike-azure key-exchange ikev2 set vpn ipsec ike-group ike-azure lifetime 28800 set vpn ipsec ike-group ike-azure proposal 1 dh-group 2 set vpn ipsec ike-group ike-azure proposal 1 encryption aes256 set vpn ipsec ike-group ike-azure proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn ipsec nat-traversal enable set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode pre-shared-secret set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret blahblah set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type initiate set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx default-esp-group esp-azure set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ike-azure set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth inherit set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address xxx.xxx.xxx.xxx set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 allow-nat-networks disable set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 allow-public-networks disable set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 esp-group esp-azure set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 local prefix 10.0.0.0/24 set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 protocol all set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 100 remote prefix 172.16.2.0/24- Once the tunnel is up, traffic started flowing without any other config steps other than the firewall rules on the ERX side to allow for IPSEC traffic.
-
@fuznutz04 nothing in that azure Vpn step hints at two networks beyond the Vpn
-
@JaredBusch said in VPN communication through ERX to different subnet:
@fuznutz04 nothing in that azure Vpn step hints at two networks beyond the Vpn
I know, that's still a work in progress.
I just managed to get the original tunnel working again which is what the above configs are for. -
@fuznutz04 said in VPN communication through ERX to different subnet:
There are no specific "rules" that I set in Azure for traffic flow. I can tell you how I set it up though. I'll outline it below but plan on doing a write up guide here on the site for others.
Basic step:
- Created a local Vnet for your on premise network. This is where you supply your public IP of your on premise device (in my case, the ERX) as well as the local network prefix. (in my case, 10.0.0.0/24)
This step is what tells Azure how to get to your network.
-
@Dashrender said in VPN communication through ERX to different subnet:
@fuznutz04 said in VPN communication through ERX to different subnet:
There are no specific "rules" that I set in Azure for traffic flow. I can tell you how I set it up though. I'll outline it below but plan on doing a write up guide here on the site for others.
Basic step:
- Created a local Vnet for your on premise network. This is where you supply your public IP of your on premise device (in my case, the ERX) as well as the local network prefix. (in my case, 10.0.0.0/24)
This step is what tells Azure how to get to your network.
right.. Not driving now so i can actually type.
you need to modify this command to have the two local networks on the ERL side.
then add your second tunnel in the ERL and it should all come back up.
-
Sounds good. I'm going to give this a shot tonight on my ERX at home so I don't bring down the existing tunnel here in the office.
