UBNT EdgeRouter site to site VPN routes?
-
is there any NAT being done?
-
@Mike-Davis said in UBNT EdgeRouter site to site VPN routes?:
I have a site to site tunnel between to Ubiquiti EdgeRouters. The tunnel shows that it's up, but I can't ping stuff on the other side. I added interface routes. My tracerts hit the internal interface of the local ER and then die. What else should I check?
What kind of tunnel? IPSEC site to site?
Assuming you set this in the GUI, did you click the
Show advanced optionsand then check the firewall checkbox?
-
I used the OpenVPN command line example on https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site
I didn't do anything with the firewall. Would you use IPsec over OpenVPN? -
I just noticed I don't have NAT hairpin enable on my internal interface. I can't seem to get the syntax right to try that.
-
@Mike-Davis said in UBNT EdgeRouter site to site VPN routes?:
I used the OpenVPN command line example on https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site
I didn't do anything with the firewall. Would you use IPsec over OpenVPN?Ah if you used OpenVPN, then you need to add static routes. this is easy then.
-
You use static routes like this form the command line.
jbusch@erl:~$ show configuration commands protocols set protocols static interface-route 10.254.101.0/24 next-hop-interface vtun101 set protocols static interface-route 10.254.102.0/24 next-hop-interface vtun102 set protocols static interface-route 10.254.104.0/24 next-hop-interface vtun104 set protocols static interface-route 10.254.105.0/24 next-hop-interface vtun105 set protocols static interface-route 10.254.201.0/24 next-hop-interface vtun101 set protocols static interface-route 10.254.202.0/24 next-hop-interface vtun102 set protocols static interface-route 10.254.204.0/24 next-hop-interface vtun104 set protocols static interface-route 10.254.205.0/24 next-hop-interface vtun105 jbusch@erl:~$ -
That's what I thought, and I have: (the local side is 192.168.1.254/24 and the far side is 192.168.2.253/23)
protocols {
static {
interface-route 192.168.2.0/23 {
next-hop-interface vtun0 {
description "route to other side"
distance 1
}
}
}
} -
My interfaces look like this on both sides:
in that both have traffic on the Tx side of the tunnel, but nothing on the receive. -
@Mike-Davis said in UBNT EdgeRouter site to site VPN routes?:
That's what I thought, and I have: (the local side is 192.168.1.254/24 and the far side is 192.168.2.253/23)
protocols { static { interface-route 192.168.2.0/23 { next-hop-interface vtun0 { description "route to other side" distance 1 } } } }You did not specify, but I assume that you have the opposite on the other side?
-
What does your OpenVPN config look like on both sides?
jbusch@erl# show interfaces openvpn vtun101 description "Globe Bldg to Someone" local-address 10.254.254.253 { } local-port 1195 mode site-to-site openvpn-option --comp-lzo remote-address 10.254.254.254 remote-host somesubdomain.mooo.com remote-port 1195 shared-secret-key-file /config/auth/my_secret_file_is_here [edit] jbusch@erl# -
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.1 peer xx.101.158.218/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 6418847 27196 0 0 0 0~~~ -
WTF is it with people not posting what is f***[moderated] asked for today?
-
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.2 peer 10.99.99.1/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 3231942 44734 0 0 0 0 show interfaces openvpn vtun0 vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.1 peer x.x.x.218/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 6962847 28715 0 0 0 0 -
I see one of the peers is using another IP... but I don't know how to change that.
-
Ok, so the x.x.x.218 IP is the WAN IP of the opposite reouter, instead of using the openvpn IP.
-
#if not in config already configure #then remove all the stuff. delete interfaces openvpn vtun0 delete protocols static interface-route 192.168.1.0/24 delete protocols static interface-route 192.168.2.0/23 #recreate it set interfaces openvpn vtun0 local-address 10.99.99.1 set interfaces openvpn vtun0 local-port 1194 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 openvpn-option "--ping 10" set interfaces openvpn vtun0 openvpn-option "--ping-restart 20" set interfaces openvpn vtun0 openvpn-option --ping-timer-rem set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 remote-address 10.99.99.2 set interfaces openvpn vtun0 remote-host x.x.x.218 set interfaces openvpn vtun0 remote-port 1194 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret set protocols static interface-route 192.168.1.0/24 next-hop-interface vtun0 commit #if works save exit#other side #if not in config already configure #then remove all the stuff. delete interfaces openvpn vtun0 delete protocols static interface-route 192.168.1.0/24 delete protocols static interface-route 192.168.2.0/23 #recreate it set interfaces openvpn vtun0 local-address 10.99.99.2 set interfaces openvpn vtun0 local-port 1194 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 openvpn-option "--ping 10" set interfaces openvpn vtun0 openvpn-option "--ping-restart 20" set interfaces openvpn vtun0 openvpn-option --ping-timer-rem set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 remote-address 10.99.99.1 set interfaces openvpn vtun0 remote-host x.x.x.51 set interfaces openvpn vtun0 remote-port 1194 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret set protocols static interface-route 192.168.2.0/23 next-hop-interface vtun0 commit #if works save exit -
if i got the static routing protocols backwards, just reverse them. They should point to the LAN on the opposite router.
That is the last line prior to each
commit. -
Ok, so it all looks good. What would be the best test?
-
I can't ping LAN IP's on the opposite side...
-
@art_of_shred said in UBNT EdgeRouter site to site VPN routes?:
I can't ping LAN IP's on the opposite side...
Well if the tunnel is up, you should.
I intentionally deleted the OpenVPN interfaces just to make sure there were no firewall policies hanging around on them.
So start with the basic. is the tunnel actually up and able to pass traffic.
From router 1 ping the IP on the other end of the OpenVP tunnel.
ping 10.99.99.1orping 10.99.99.2whichever is on the opposite sidenothing but the routers will be able to use these addresses. they are only for pinning up the OpenVPN tunnel
