@Romo said in Unifi USG VPN from Behind NAT Firewall:

Also add the changes to a config.gateway.json file in the controller to changes directly made on the USG don't get deleted on next provision.

One reason I hate these units.

@Romo said in Smb transfer through IPSec/L2TP VPN get's terminated.:

@wrx7m Probably a lot less since during that time nothing else would be running. While currently the whole office was working regularly.

Can you manually run the morning job to see what happens?

@Dashrender said in What makes people want IPSEC at line speed:

You're 10 miles apart, any chance for a site to site wireless link?

OK so making them split between some things local and some remote - why not move them 100% remote? Give the users a full RDS desktop, and have them completely stop using their local system?

1 Gb connection for CAD is still going to be an issue in my mind - I don't really see this solution being better, but who knows, you might get lucky.

What is your end goal for backups? If it's to continue taking tapes to the bank, why not just pick up two tapes/drives, whatever, one from each site and deliver them to the bank instead of copying over the WAN?

no wireless without large towers unfortunately, I looked into it before settling on what we did, but I didnt want to try and deal with renting space on someone else's tower. It was getting intimidating and that plan would have been probably more than I could have pulled off.

I am not sure a full RDS desktop would work under the CAD load, and I know it is not allowed under autodesk licencing without getting Citrix involved.

In theory, the 1gbps WAN should be similar to the 1gbps LAN, at least that was my thought. I realize now that latency may still be an issue, but it has only been in place for maybe 2 months. Time will tell if that is the long term solution.

For backups, I have been and currently am doing everything from my location, which is now the HQ. I am backing up roughly ~600GB onto a 1TB external SSD via usb3. I've got somewhere between 6-8TB of total data that I would like to backup, but I had neither the space nor the time to get that all onto a single device that I could take offsite. This forced me to have to choose what to backup, because of lack of anyone higher than me that could/would give me a solid business policy to follow. I don't like being responsible for deciding what does and what doesn't make it into these offsite backups. One problem I am running into is that the person giving me the requirement for offsite backups (the CEO) has no clue what there even is to backup in the first place, because no one here (with a few possible exceptions) can even understand this stuff. I had a conversation just yesterday with him about wanting some direction on how long he wanted to retain backups, and if he wanted that retention done onsite or offsite. He couldn't really give me an answer, he just wants the "drawings" to be backed up "forever". In the end, I basically talked him into officially telling me to do what I had planned on doing in the first place, just so that we had "officially" talked about it. That is probably off topic though.

Current: Like I said, we are currently backing up 600GB worth of files to a single usb SSD that I rotate out on a weekly basis. Before the IPsec was in place, it took ~150 hours to complete, which since they were weekly backups, took basically the entire week. Now they are completing in ~50 hours, but I am still pulling individual files across the WAN.

My plan at this point is to move everything over to a single new host at my HQ. This host will be running local SSD's, see https://mangolassi.it/topic/18201/large-or-small-raid-5-with-ssd. I've got two existing hosts (I picked one up along the way) that will be repurposed once the new host is in place. One will become a veeam host (it will be getting new storage), and the other will become an empty host used only for restores. All three hosts will be on a new 10G network, and the veeam host will be getting a tape drive (most likely, see https://mangolassi.it/topic/18209/adding-tape-drive). By using LTO-7 tapes, I can backup literally everything I have, and take those offsite. I am going to backing up to disk on the veeam host, and then copying those to tape. I am also going to be copying my backups across to my branch site. With the new setup, I should be able to do the offsite copy job in a matter of hours. So, I will have 4 copies of the data, 1 production, 2 onsite backups, and 1 offsite backup. I will also be able to run everything from veeam instead of trying to mix that with individual files.

I still need to decide on how much storage to give said veeam host, but it seems challenging to determine how much each backup requires in the way of storage space, especially since I am deduping mine now using windows server.

@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.:

jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,...

@JaredBusch @scottalanmiller
Can a cron be set to restart the ipsec every 24 hours?

Yes.

@Dashrender said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@JaredBusch said in Considering a New VPN:

@scottalanmiller said in Considering a New VPN:

@Carnival-Boy said in Considering a New VPN:

Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?

ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh.

This is not true, ZeroTier has gateway functionality.
https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux

I was leaving that out for simplicity as he's not going to build custom Linux systems for this.

Why? Because a single VM setup as a gateway means that ZT now meets all needs also.

No different than replacing a router, etc.

I've not used it, does it require you to change your IP range or can you keep what you have?

The biggest recommendation is to make it inclusive of your LAN subnet so make life easier. I've not had the time to set it up on my lab yet.

I use ZT in a number of places, but not using the gateway anywhere yet.

Right, so being inclusive means that you did follow Scott's recommendation, only that you bent ZT to the current setup, instead of making a whole new IP setup with this in mind.

Did that solve all of the Windows DNS issues?

I have no idea WTF you are talking about. You are implying and inferring things that are not being discussed here.

@scottalanmiller for the sake of this thread, the link shows both ERL and ERPro

@Dashrender said in Pfsense to Meraki Site-Site Ipsec VPN:

At what size network do you normally turn on BGP?

Pretty much any time you have multiple routers & subnets. BGP is to routing what DHCP is to Up addressing (kinda). With static routes every device has to be setup manually with every network which is insane. With BGP and Autonomous system numbers it's automated and less likely to have mistakes.

Old post but just had to do this for an implementation we are rolling out. Thanks!

@Dashrender you can find OVA on vyos.net

For comparison here is a session going over OpenVPN to another site with an 80/5 cable modem service.

Maxing under 8mbit on average.

C:\iperf3>iperf3 -c 10.202.10.49 -p 9676 -F office2013.iso -t 120 -P 4 - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 113.01-114.01 sec 128 KBytes 1.05 Mbits/sec [ 7] 113.01-114.01 sec 384 KBytes 3.15 Mbits/sec [ 10] 113.01-114.01 sec 256 KBytes 2.10 Mbits/sec [ 13] 113.01-114.01 sec 128 KBytes 1.05 Mbits/sec [SUM] 113.01-114.01 sec 896 KBytes 7.35 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 114.01-115.00 sec 256 KBytes 2.10 Mbits/sec [ 7] 114.01-115.00 sec 384 KBytes 3.15 Mbits/sec [ 10] 114.01-115.00 sec 256 KBytes 2.10 Mbits/sec [ 13] 114.01-115.00 sec 256 KBytes 2.10 Mbits/sec [SUM] 114.01-115.00 sec 1.12 MBytes 9.45 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 115.00-116.00 sec 256 KBytes 2.10 Mbits/sec [ 7] 115.00-116.00 sec 512 KBytes 4.20 Mbits/sec [ 10] 115.00-116.00 sec 128 KBytes 1.05 Mbits/sec [ 13] 115.00-116.00 sec 0.00 Bytes 0.00 bits/sec [SUM] 115.00-116.00 sec 896 KBytes 7.35 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 116.00-117.00 sec 256 KBytes 2.10 Mbits/sec [ 7] 116.00-117.00 sec 384 KBytes 3.15 Mbits/sec [ 10] 116.00-117.00 sec 0.00 Bytes 0.00 bits/sec [ 13] 116.00-117.00 sec 0.00 Bytes 0.00 bits/sec [SUM] 116.00-117.00 sec 640 KBytes 5.25 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 117.00-118.01 sec 256 KBytes 2.07 Mbits/sec [ 7] 117.00-118.01 sec 384 KBytes 3.10 Mbits/sec [ 10] 117.00-118.01 sec 128 KBytes 1.03 Mbits/sec [ 13] 117.00-118.01 sec 128 KBytes 1.03 Mbits/sec [SUM] 117.00-118.01 sec 896 KBytes 7.24 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 118.01-119.01 sec 384 KBytes 3.15 Mbits/sec [ 7] 118.01-119.01 sec 384 KBytes 3.15 Mbits/sec [ 10] 118.01-119.01 sec 128 KBytes 1.05 Mbits/sec [ 13] 118.01-119.01 sec 128 KBytes 1.05 Mbits/sec [SUM] 118.01-119.01 sec 1.00 MBytes 8.40 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ 4] 119.01-120.01 sec 384 KBytes 3.15 Mbits/sec [ 7] 119.01-120.01 sec 128 KBytes 1.05 Mbits/sec [ 10] 119.01-120.01 sec 128 KBytes 1.05 Mbits/sec [ 13] 119.01-120.01 sec 256 KBytes 2.10 Mbits/sec [SUM] 119.01-120.01 sec 896 KBytes 7.35 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth [ 4] 0.00-120.01 sec 27.5 MBytes 1.92 Mbits/sec sender Sent 27.5 MByte / 1.39 GByte (1%) of office2013.iso [ 4] 0.00-120.01 sec 27.3 MBytes 1.91 Mbits/sec receiver [ 7] 0.00-120.01 sec 30.1 MBytes 2.11 Mbits/sec sender Sent 30.1 MByte / 1.39 GByte (2%) of office2013.iso [ 7] 0.00-120.01 sec 30.0 MBytes 2.09 Mbits/sec receiver [ 10] 0.00-120.01 sec 25.6 MBytes 1.79 Mbits/sec sender Sent 25.6 MByte / 1.39 GByte (1%) of office2013.iso [ 10] 0.00-120.01 sec 25.5 MBytes 1.78 Mbits/sec receiver [ 13] 0.00-120.01 sec 25.1 MBytes 1.76 Mbits/sec sender Sent 25.1 MByte / 1.39 GByte (1%) of office2013.iso [ 13] 0.00-120.01 sec 24.9 MBytes 1.74 Mbits/sec receiver [SUM] 0.00-120.01 sec 108 MBytes 7.58 Mbits/sec sender [SUM] 0.00-120.01 sec 108 MBytes 7.53 Mbits/sec receiver iperf Done.

This is all I did to get mine working on windows 10 http://itthatshouldjustwork.blogspot.com/2015/07/cisco-64-bit-vpn-client-on-windows-10.html

There is not an up to date client, Cisco VPN is EOL'd It was replaced with Cisco AnyConnect

We recently had to set up an L2TP tunnel for our apple devices, since the last iOS 10 update took PPTP out of the picture. It was a huge PITA too, because I didn't figure out for a while that the secondary tunnel wouldn't let me reuse existing user accounts in our Watchguard.... that was some fun trial and error. And the WG how-tos never specified anything about needing different user accounts. It sucks to do all the steps right and then get login errors... makes ya feel like an amateur.

@Hubtech said:

@scottalanmiller said:

@Hubtech said:

this is for a $300 device, and a company that only has 7 tunnels (and won't hit 20 for a couple years).

Have you looked at the Ubiquiti EdgeRouter Lite instead? Only $99 and I would expect it to handle way more than 20 IPsec tunnels.

I mentioned the edge router 8 up there. I've never messed with one so i was looking for hands on from somebody.

I have 10 (may be one more I lost track) of the Ubiquiti EdgeMax LITE (ERL) in production. I only use OpenVPN tunnels at the moment because they are easier to work with and I am not approaching the bandwidth limit of OpenVPN on the hardware (~10-14mbps encrypted). Not a single site I have an ERL installed at has a pipe that can push out more then 10mbps, so I will never have a problem with this for now. I do have one IPSEC tunnel up to a home user that I have not sent a new router yet and it has no issues either.

The ERL I have at my home office has a tunnel to every single one of the remote ERL at my clients and it never blinks.

Using IPSEC you can get throughput in the 100+mbps range with the ERL. The difference between IPSEC and OpenVPN is that the IPSEC encryption can be offloaded to hardware while the OpenVPN encryption all has to be done on the processor.