Good Afternoon. 

I have a Site-to-Site VPN between a ER-Poe5 and a ER-Pro8 both on 1.9.0 that is giving me fits.  This is in a production environment and I'm beating my head against a wall a little bit, and hoping for some help.  The VPN will not establish, and when I do "show vpn log" it just repeats "xx.xx.xx.xx is initiating a Main Mode IKE_SA", on the Pro8 side, and on the POE 5 side, peer-xx.xx.xx.xx-tunnel-1|4> initiating Main Mode IKE_SA peer-xx.xx.xx.xx-tunnel-1[4] to xx.xx.xx.xx. 

Sanitized configs coming momentarily.   Any initial help, debugging or troubleshooting woudl be most appreciated. I have deleted, recreated, rebooted, etc.  

I'm writing this in the hopes that it will assist someone else, or just as a reminder to me down the road.

I have been fiddling around the last four days trying to get a site-to-site VPN setup between my home network and another family members home. I convinced them to upgrade their router to a DD-WRT based router about three years ago before I really knew about Ubiquiti hardware. Upgrading the to an EdgeRouter-Lite, while likely to simplify things and still a possibility in the near future, would have taken me longer than using a Raspberry Pi I had lying around.

IPSec is something that I have had zero experience with up until now, and I wanted to learn something new. While I have never setup OpenVPN in a site-to-site configuration, I have used it in the pass as a client-server setup on my EdgeRouter.

Here is the hardware on each side:

Home

Ubiquiti EdgeRouter ER-8

Cable Internet 120/20

Family

Buffalo Airstation AC1750

Cable Internet 60/20

Raspberry Pi running Rasbian Jessie Lite

Network Topology

EdgeRouter   ----   Internet   ----   AC1750   ----   RPi
10.10.1.1                            10.0.1.1         10.0.1.10

EdgeRouter Setup

Setting up the EdgeRouter was rather simple. Filled in the following under VPN | IPSec Site-to-Site:

Peer: 0.0.0.0

Description: House-to-House

Local IP: any

Pre-shared secret: MyPassword

Local Subnet: 10.10.1.0/24

Remote Subnet: 172.20.10.0/28

Setting up the Raspberry Pi

I loaded a fresh image of Raspbian Jessie Lite (2016-09-23). I then updated and installed strongswan.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install -t jessie strongswan
sudo apt-get install -t jessie libcharon-extra-plugins

Next step is to edit the /etc/ipsec.conf file so that the following are the only uncommented lines:

config setup
       charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
       ikelifetime=28800s
       keylife=3600s
       rekeymargin=540s
       keyingtries=%forever
       authby=secret
       keyexchange=ikev1
       compress=no

conn House-To-House
       left=172.20.10.3
       leftsubnet=172.20.10.0/28
       rightid=%any
       rightallowany=yes
       right=www.myhouse.ca
       rightsubnet=10.10.1.0/24
       auto=start
       ike=aes128-sha1-modp2048!
       esp=aes128-sha1-modp2048!

Note: If you intend on using a fully qualified domain name in place of an IP address for either left or right, you need to have the corresponding rightid or leftid set to %any, otherwise it will generate errors. I use FQDN's for both sides, but have left it like this to assist with those setting up a network with simple IP addresses.

Now, add the following to your /etc/ipsec.secrets file

172.20.10.3 www.myhouse.ca : PSK "MyPassword"

Enable packet forwarding by uncommenting the following line in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Either reboot the system or run the following command to update the packet forwarding setting now:

sudo sysctl -w net.ipv4.ip_forward=1

Everything should now be ready to go. Run the following to reload the configuration files, bring up the tunnel and check the status of the connection:

sudo ipsec reload
sudo ipsec up House-To-House
sudo ipsec statusall

The final command should have a Security Associations section. If you see (1 up, 0 connecting) then you've got a successful tunnel from the Raspberry Pi to the EdgeRouter!

While I am limited by the 20 Mbit/s upload speed on both connections, I was able to saturate the link transferring files through the tunnel using scp. This will more than accomodate my use case.

Some notes on debugging:

Peer: 0.0.0.0 or any

While the houses are close together geographically, it was still a 20 minute drive between them, and as such driving back and forth to test different setups was not feasible. I tethered a Raspberry Pi to my cell phone in order to test on two separate networks from a single location. Everything I had read indicated to put any in the peer box to allow for a dynamic or unknown address. I just came across a UBNT member that had posted that 1.9.0 fixed a big which allowed any in the past, and it should actually be 0.0.0.0 which cleared up my issue of INVALID_KE_PAYLOAD.

Diagnosing Errors

/var/log/syslog on the Raspberry Pi was not very descriptive when errors arose. I was much more successful with an ssh session into the EdgeRouter and running sudo swanctl -log

Testing Connections

Initially I was trying to get everything up and running locally. I had simulated the family home network that would be the opposite endpoint by replicating the subnet and DHCP server on a separate EdgeRouter interface. This got me nowhere as the IPSec system reacts completely differently to internal connections as it does to external connection attempts. If you don't have enough hardware to replicate two external and separate networks, tethering the Raspberry Pi endpoint to your phone is the cheapest/easiest solution.

Hello. I am in a bit of a conundrum with setting up an Edgerouter X unit running EdgeOS 1.9.0 for our company.

We have two public IP addresses 208.x.x.26 and 201.x.x.27 that I configured on eth1. Both public IP addresses are routing to the same subnet on eth2-eth4 which is 10.x.x.0.

Any traffic using the .26 IP works fine, things like standard internet access and port forwarding to our ticketing system and WSUS setup. We provide monitoring services to our clients that try to contact our servers on the .27 address due to it being a whitelisted IP for SMTP traffic. The problem is, anything trying to use that .27 address fails to communicate, and I am lost as to why. I can ping the address both inside and outside the network.

I attempted to use NAT/firewall rules as shown here on the UBNT forums without any success.

I appreciate any help with this, as getting this .27 traffic flowing is the only hiccup I am experiencing with this setup.

Ubiquiti products and managed devices are new to me. My plan is to follow “EdgeMAX – ItnerVLAN Walkthrough with ERLite-3 using Sample Enterprise Topology” and associated article for edgeswitch - just using one switch instead of two. We also have 2 AP-Lites and a cloud key.

I have a couple questions at this point:

1. I went with the ER-POE so that I could run the APs and cloud key from it.  Can I still feed the VLANs to the APs if they are connected the router?

2. If not, I can use the injectors that came with the APs and connect them to swich per the guide.  If this must be done, can the cloud key stay on the router?  It runs at 48v and I don't currently have an injector for it.

3. I think I read in these forums that having the switch perform DHCP is preferable, with the router providing internet and firewall.  Is this true and if so, how does it affect my plan?

Thanks!

Hi Guys,

I set a rule on Firewall using DPI to block openvpn etc.

As per list below the openvpn is in category which I blocked.

 /usr/sbin/ubnt-dpi-util show-cat-apps Bypass-Proxies-and-Tunnels
Applications in category [Bypass-Proxies-and-Tunnels]
openvpn

kproxy

[…]

I noticed that the OpenVPN won't connect at first but after some attemps it pushes throught.

 
Part of OpenVPN log:
Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client

Any idea how to solve this?

Thank you !

When user is configured with scponly shell

This works:

scp /home/ubnt/test.txt user@remoteip:/path/to/dir/

This doesn't work

set system config-management commit-archive location scp://<user>:<password>@remoteip:/path/to/dir/

How can I restrict the SCP user that I'm putting on my routers to only have access to SCP? 

This has been going on for quite some time now. I will notice that speeds start out at 250Mbps when the router is freshly booted but after a few hours or days of usage the speed comes to a crawl to about 20-30 Mbps. I

• Directly connecting my PC to the modem resolves the slugishness
• I noticed this issue on version 1.8 as well. I was hoping an update to 1.9 would resolve, but as you can see, it has not.
• I've verified my switch is working, along with the PC being used to test this ( speed tested between two computers in the same network)
• I've tried directly connecting my PC to an unused ERL port (eth2, contains no vlan/virtual interfaces) and it still is giving me the slow speeds
• I've verified ipv4 forwarding and vlan offloading is enabled
• I've tried temporarily disabling all of the firewalls rules but it doesn't help
• Rebooting the router brings back speeds 
• Top and free shows memory levels and cpu usage as being normal
• ALSO, I've noticed that the host validation for ssh login is SERIOUSLY slow when this happens. I know disabling the host validation solves this, but it is correlative with the slow internet speeds I'm experiecning. At fresh boot, the host validation time is pretty fast
• I also notice running tcpdump is noticeably slower after ERL has been running for a few days as opposed to a few hours after a fresh reboot. 

Offload Status:

IP offload module : loaded
IPv4
 forwarding: enabled
 vlan : enabled
 pppoe : disabled
 gre : disabled
IPv6
 forwarding: disabled
 vlan : disabled
 pppoe : disabled

IPSec offload module: loaded

Traffic Analysis :
 export : disabled
 dpi : disabled

Router config:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group Trusted {
            description Trusted
            network 172.16.0.0/27
            network 10.0.3.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    name WAN_IN {
        default-action drop
        rule 2 {
            action accept
            description "Accept Valid"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description ""
        enable-default-log
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Time Warner Cable"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        duplex auto
        speed auto
        vif 10 {
            address 10.0.0.254/24
            description "Management Net"
            mtu 1500
        }
        vif 40 {
            address 10.0.2.254/24
        }
        vif 50 {
            address 10.0.3.254/24
        }
        vif 90 {
            address 172.16.0.30/27
        }
    }
    ethernet eth2 {
        address 10.100.100.1/24
        description DMZ
        duplex auto
        mtu 9000
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Home {
            authoritative disable
            subnet 10.0.2.0/24 {
                default-router 10.0.2.254
                dns-server 172.16.0.21
                dns-server 8.8.8.8
                lease 300
                start 10.0.2.100 {
                    stop 10.0.2.254
                }
            }
        }
        shared-network-name Management {
            authoritative disable
            subnet 10.0.0.0/24 {
                default-router 10.0.0.254
                dns-server 172.16.0.21
                dns-server 8.8.8.8
                lease 86400
                start 10.0.0.100 {
                    stop 10.0.0.200
                }
                unifi-controller 172.16.0.29
            }
        }
        shared-network-name Trusted {
            authoritative disable
            subnet 10.0.3.0/24 {
                default-router 10.0.3.99
                dns-server 172.16.0.21
                dns-server 8.8.8.8
                lease 300
                start 10.0.3.100 {
                    stop 10.0.3.253
                }
                unifi-controller 172.16.0.29
            }
        }
        shared-network-name vm_net {
            authoritative disable
            subnet 172.16.0.0/27 {
                default-router 172.16.0.15
                dns-server 172.16.0.21
                dns-server 8.8.8.8
                lease 86400
                start 172.16.0.1 {
                    stop 172.16.0.19
                }
            }
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5000 {
            description "WAN NAT"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    domain-search {
    }
    host-name ubnt
    ipv6 {
        disable
        disable-forwarding
    }
    login {
        user admin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipv4 {
            forwarding enable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
    traffic-analysis {
        dpi disable
        export disable
    }
}

I started with setting up my ERX with the "Basic" wizard for my home. Then I went to play xbox/ps4 and they both show up as my NAT type being strict. I have tried port forwarding to my knowledge but niether work. Is there a way to port forward all ports on both TCP and UDP?

I just got a EdgeRouter and upgraded to 1.9.0; on first boot, upgraded firmware to v1.9.0 and ran Basic Wizard. It prompts for user management, so chose to create a new user and password. It locked me out and had to reset it.

Tried once again, changing password only for ubnt username. Created a new user and again, "invalid password". 

Don't know if there's an issue with my hardware only, or there's an issue with firmware 1.9.0; anyone else is having these issues?

Thanks in advance.

Hi ,

I want to execute vyos command (set system host-name krajuskar) in perl script using perl api, can you please guide me how to use perl api to execute vyos command. I read PERL API but not get any idea to do that.

Please help me.

Hi,

I did configure an ERL mit Dual WAN and OpenVPN client connection to an VyOS server. WAN Failover for Internet traffic is working good. OpenVPN also works good when only one WAN-Port is connected. Else I am loosing at least 50% packets. How can I configure WAN Failover for OpenVPN client?

I would also be willed to pay for it if someone could configure it for me.

Thank you

I'm totally in love with my new ER-X-SFP. It's so cute! But oh, that amazing power behind that cuteness. It's such an incredible piece of high class engineering and innovation at such a fantastic price. I'll love it even more so once I can get it to work. LOL.

I'm have a cable modem, which goes to a new dual-band wireless router (R1), and that goes to my old single-band wireless router R2 which has several switches connected to it and serves the majority of my home network for the time being. I was planning on doing the 3 dumb routers scenario to get a DMZ and unfortunately had bought the new router before I saw the Ubiquity Light.

Cable <==> WAN--| R1 |--Lan (.2.1/24) <---> WAN (.2.10/24)--| R2 |--LAN (.0.1/24)

                                          |

                                          |----> WAN eth0 (.2.101/24) -| ER-X-SFP |- LAN (1.1) -- eth1 (.1.2)

I have both the old R2 router and the EdgeMax connected to the LAN side of the new router R1.

R2 WAN has a static IP of 192.168.2.10 and the LAN side is .0.1. All the rest of my devices are currently on the 192.168.0/24 subnet with a handful of DHCP reservations.

The ER-X-SFP WAN is 192.168.2.101 and switch0 (eth1 & eth2) is .1.1 so my connection to it is .1.2

I have a question about the initial setup. Networking noob that I am, I'd rather do my initial setup and testing behind my existing wireless router R1. I immediately updated it to EdgeOS 1.9.0, and ran the Basic Setup Wizard. So it has some basic routes, Firewall/NAT rules and such. I think I can do this testing behind R1 since stuff connected to R2 works just fine and has Internet access.

So far, so good. I'm connected to the EdgeMAX and I can see lets of bits flowing. Tx and Rx numbers for eth0 (pseudo internet), eth1 and switch0. I just don't know what they are or why. LOL.

I have the other ports configured, mostly following the SOHO example. With a few execptions. Two ports eth1/eth2 on switch0, one port will be for a DMZ, and one will be the PoE port for my new UniFi WAP-AC-LR. It's currently on my "new" router, using the included PoE injector, and it works great.

Under Basic Settings for the System, I have the System Gateway set to the .2.1, the LAN side of R1. There's one static router to R1's LAN port, and 3 "connected" routes. I setup DHCP rules for each subnet, LAN, DMZ and WAP. There are WAN_IN and WAN_LOCAL Firewall/NAT rulesets, each with two rules, although I'm not clear on who does what to whom, or exactly what "local" means. I think it's whatever's on switch0? Am I missing a WAN_OUT?

This machine has two nics, one going to R2, that gives me "real" internet connectivity, and one private that goes to the ER-X-SFP.

Using the EdgeMAX / private NIC only, Windows tells me I don't have Internet connectivity. I can't ping eth0 as 192.168.2.101. I get "PING: transmit failed. General failure.". So of course, I can't ping the router's LAN port at 2.1 or get out into the big bad world.

I'm obviously missing at step but I don't know what it is. Or I have something configured incorrectly. So I'm hoping someone here can figure what stupid mistake I did and why this awesome little box has no Internet connectivity.

Any assistance is greatly appreciated.

Thanks,

Mark

Currently living with the in-laws while our house is renovated.  I've managed to get my fancy network stuff set up, but I'd love to be able to ensure that my father in laws mac mini (which they use to stream their TV) never falters while I'm hammering their network with my stuff.

I had a crack before, using the Shaper example here, but it didn't seem to do anything:

simonk83@ubnt# show traffic-policy 
 shaper shaper1 {
     bandwidth 5Mbit
     class 2 {
         bandwidth 4Mbit
         match client2 {
             ip {
                 source {
                     address 192.168.1.143/24
                 }
             }
         }
     }
     default {
         bandwidth 1Mbit
     }
 }

They're on ADSL and not all that close to the exchange, so the downstream maxes out at about 600KB/s.   I'm trying to give the mac mini most of that (while it's running) and reserve the rest for everything else (my stuff basically).

I tested it by running the traffic analysis (which actually showed zero traffic coming through for that IP, when it was showing as normal before i added the policy so I obviously stuffed something up), and then started downloading a file which immediately caused the tv stream to buffer.  Not working

Just hoping to get some pointers as to the best way to get this happening?  I basically just want to give this IP address absolute priority (if it's active, otherwise I can go nuts).

I did actually try the smart queue, and while it resulted in great pings while I was downloading stuff, it didn't do anything to help other devices claw back bandwidth, and the tv streaming still halts and buffers. 

For compex ISP reasons, I want to setup one Edgerouter X to replace two ISP routers (each with MAC-address-based Static IP allocated from the same ISP) with VoIP functions.

I need to set the MAC addresses for the old routers at Eth0 and Eth4 (which I know how to do from the command line using config) and then set Eth0 as WAN1 connected to Eth1 as the LAN side plus Eth4 as WAN2 connected to Eth3 as the LAN side.  Eth1 and Eth3 will be on different subnets. I see how to use the Wizard to set two WAN ports but I cannot see how to then tie LAN Eth1 (with subnet IP 192.68.7.1/24) to WAN1, and LAN Eth3 (with subnet 192.168.2.1/24) to WAN2.  Eth3 will be off. Can this be done from the CL on the EdgeRouter X? If it canm would somebody who knows how to do this point me to some useful Ubiqiti documents or even post the CL code to achieve what I need (forever in your debt).

I am running Firmware 1.90.

There is no need for Fail Over between WAN1 and WAN2.

Thanks.

Hi,

We are considering using Ubiquiti equipment for a few small office setups (5 - 10 people) and still have completely seperate guest (ip in 10.0.0.x range) and internal (part of the internal network, ip in 192.168.0.x range) wireless access.

Can the bellow configuration be achieved only with the ER-X router and UAP-AC-LR access point? Or is it necessary to use a switch with VLAN support?

I have problems to access our websites located on DMZ from DMZ, from the outside it works fine.

We have 5 public IP on the WAN interface, 4 of them are NATed to internal servers.

We have 4 servers on 192.168.2.0/24 net, these have websites on them an for test purpose we need to access the websites from the same network.

I got good information before here about Hairpin NAT and LAN to DMZ access.

"Hairpin is only required when traffic enters and leaves the same interface"

So I turned on hairpin NAT for DMZ interface but there was no differance.

Hi and sorry for my English. I`m from Chile.

My public IP is for example:

152.231.88.100 / 29

I have 5 IP available. (1 for the router)

I get 4 IP to distribute, but not for all customers.

Eth1: Internet (152.231.88.101)
Eth0: LAN (10.10.10.0)
Eth2: LAN2 (public ip distribute 4 remaining)


Any idea how to divide 4 by the Eth2 public ip?

regards and thanks you.

How can we setup the router correctly to authorize the Avaya RTP ports for the VOIP (Avaya RTP)

port range to be authorized: 46750-50750
Protocol UDP

Please advice ?

Current situation uses 2 routers, I would like to replace them both with one Edgemax 8 Pro.

Current configuration router 1:

WAN: Point 2 Point ip connection with a /30 subnet (xxx.xxx.xxx.106/30 to xxx.xxx.xxx.105)
LAN: /29 subnet of real IP`s (yyy.yyy.yyy.10) (Range= yyy.yyy.yyy.8-15)

Current configuration router 2:

WAN: yyy.yyy.yyy.11, gateway yyy.yyy.yyy.9
LAN: 192.168.1.254/24

I configured the edgerouter with the loadbalance wizard, to have a fallback internet connection on eth1.
I configured eth0 with the ip of router 2: yyy.yyy.yyy.10

Is it possible to bridge eth4 and eth 5, configure them with the ip of router 1? (xxx.xxx.xxx.106/30 to xxx.xxx.xxx.105) and connect the fiber wan connection in eth4, patch eth5 to eth0?
And use a routing table or policy to route all traffic from eth0 through br0?

Any suggestions to route the traffic through a Point 2 point connection in the same router?

I am trying a lot of differtent configurations, so please dont`t scream "Post config!" ;-)

Hi,

May be this log is easy to reset for some of you. But in my side I have this message every 20s...

Ubiquited kernel: [WANtoLOCAL-default-D]IN=eth0 OUT= MAC= src=MY_HOME_IP DST=255.255.255.255 LEN=140 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=47691 DPT=45657 LEN=120

Someone can explain if there is a problem ??

NB: Im using a vpn connection