UBNT EdgeRouter site to site VPN routes?
-
I have a site to site tunnel between to Ubiquiti EdgeRouters. The tunnel shows that it's up, but I can't ping stuff on the other side. I added interface routes. My tracerts hit the internal interface of the local ER and then die. What else should I check?
-
is there any NAT being done?
-
@Mike-Davis said in UBNT EdgeRouter site to site VPN routes?:
I have a site to site tunnel between to Ubiquiti EdgeRouters. The tunnel shows that it's up, but I can't ping stuff on the other side. I added interface routes. My tracerts hit the internal interface of the local ER and then die. What else should I check?
What kind of tunnel? IPSEC site to site?
Assuming you set this in the GUI, did you click the
Show advanced optionsand then check the firewall checkbox?
-
I used the OpenVPN command line example on https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site
I didn't do anything with the firewall. Would you use IPsec over OpenVPN? -
I just noticed I don't have NAT hairpin enable on my internal interface. I can't seem to get the syntax right to try that.
-
@Mike-Davis said in UBNT EdgeRouter site to site VPN routes?:
I used the OpenVPN command line example on https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site
I didn't do anything with the firewall. Would you use IPsec over OpenVPN?Ah if you used OpenVPN, then you need to add static routes. this is easy then.
-
You use static routes like this form the command line.
jbusch@erl:~$ show configuration commands protocols set protocols static interface-route 10.254.101.0/24 next-hop-interface vtun101 set protocols static interface-route 10.254.102.0/24 next-hop-interface vtun102 set protocols static interface-route 10.254.104.0/24 next-hop-interface vtun104 set protocols static interface-route 10.254.105.0/24 next-hop-interface vtun105 set protocols static interface-route 10.254.201.0/24 next-hop-interface vtun101 set protocols static interface-route 10.254.202.0/24 next-hop-interface vtun102 set protocols static interface-route 10.254.204.0/24 next-hop-interface vtun104 set protocols static interface-route 10.254.205.0/24 next-hop-interface vtun105 jbusch@erl:~$ -
That's what I thought, and I have: (the local side is 192.168.1.254/24 and the far side is 192.168.2.253/23)
protocols {
static {
interface-route 192.168.2.0/23 {
next-hop-interface vtun0 {
description "route to other side"
distance 1
}
}
}
} -
My interfaces look like this on both sides:
in that both have traffic on the Tx side of the tunnel, but nothing on the receive. -
@Mike-Davis said in UBNT EdgeRouter site to site VPN routes?:
That's what I thought, and I have: (the local side is 192.168.1.254/24 and the far side is 192.168.2.253/23)
protocols { static { interface-route 192.168.2.0/23 { next-hop-interface vtun0 { description "route to other side" distance 1 } } } }You did not specify, but I assume that you have the opposite on the other side?
-
What does your OpenVPN config look like on both sides?
jbusch@erl# show interfaces openvpn vtun101 description "Globe Bldg to Someone" local-address 10.254.254.253 { } local-port 1195 mode site-to-site openvpn-option --comp-lzo remote-address 10.254.254.254 remote-host somesubdomain.mooo.com remote-port 1195 shared-secret-key-file /config/auth/my_secret_file_is_here [edit] jbusch@erl# -
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.1 peer xx.101.158.218/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 6418847 27196 0 0 0 0~~~ -
WTF is it with people not posting what is f***[moderated] asked for today?
-
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.2 peer 10.99.99.1/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 3231942 44734 0 0 0 0 show interfaces openvpn vtun0 vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.1 peer x.x.x.218/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 6962847 28715 0 0 0 0 -
I see one of the peers is using another IP... but I don't know how to change that.
-
Ok, so the x.x.x.218 IP is the WAN IP of the opposite reouter, instead of using the openvpn IP.
-
#if not in config already configure #then remove all the stuff. delete interfaces openvpn vtun0 delete protocols static interface-route 192.168.1.0/24 delete protocols static interface-route 192.168.2.0/23 #recreate it set interfaces openvpn vtun0 local-address 10.99.99.1 set interfaces openvpn vtun0 local-port 1194 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 openvpn-option "--ping 10" set interfaces openvpn vtun0 openvpn-option "--ping-restart 20" set interfaces openvpn vtun0 openvpn-option --ping-timer-rem set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 remote-address 10.99.99.2 set interfaces openvpn vtun0 remote-host x.x.x.218 set interfaces openvpn vtun0 remote-port 1194 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret set protocols static interface-route 192.168.1.0/24 next-hop-interface vtun0 commit #if works save exit#other side #if not in config already configure #then remove all the stuff. delete interfaces openvpn vtun0 delete protocols static interface-route 192.168.1.0/24 delete protocols static interface-route 192.168.2.0/23 #recreate it set interfaces openvpn vtun0 local-address 10.99.99.2 set interfaces openvpn vtun0 local-port 1194 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 openvpn-option "--ping 10" set interfaces openvpn vtun0 openvpn-option "--ping-restart 20" set interfaces openvpn vtun0 openvpn-option --ping-timer-rem set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 remote-address 10.99.99.1 set interfaces openvpn vtun0 remote-host x.x.x.51 set interfaces openvpn vtun0 remote-port 1194 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret set protocols static interface-route 192.168.2.0/23 next-hop-interface vtun0 commit #if works save exit -
if i got the static routing protocols backwards, just reverse them. They should point to the LAN on the opposite router.
That is the last line prior to each
commit. -
Ok, so it all looks good. What would be the best test?
-
I can't ping LAN IP's on the opposite side...
