Greetings,
We have quite a few VPNs up and running succesfullybetween different customers across a private wireless network on EdgeRouters and cross platform. The issue we are running into now is between two EdgeRouters.
* Existing working site to site IPSec VPN between a core router and a remote site.
* Both routers are EdgeRouter Lite running v1.7.
* The configuration is to encapsulate all traffic across the VPN (remote prefix 0.0.0.0/0)
* Since all traffic is passed across the VPN, there is no NAT configured at all.
* DHCP relay is configured to forward local DHCP requests to a server across the VPN
We added the configuration into the core router for a VPN from a new second remote site and basically copied the exact configuration (changing IPs, etc.) into the new remote router. The new router was running v1.8.0. The second VPN is ESP and IKE group FOO1 on both the core and new remote router. As soon as the VPN comes up:
* Local workstations at the new remote site can no longer ping that router's LAN interface
* The router can no longer ping anything on the local LAN
* For testing, temporarily deleted the VPN configuration from the remote router and the router can ping the local LAN and vice versa.
With the VPN up and running,
* show vpn ipsec sa shows no inbound packets
* A worksation on the local LAN cannot ping anything across the VPN
* A local workstation is successful getting a DHCP address from across the VPN although no other traffic passes.
* Upgrading to v1.8.5 results in the same issues
* Downgrading to v1.7 and all traffic succesfully passes through the VPN except that DHCP relay no longer works.
* All firewall configuration was removed with no change.
Did something change with IPSec VPN between v1.7 and v1.8 so that we need to change the configurations? Following is the configuration of the remote site:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
speed auto
vif 52 {
address 10.253.12.53/31
description wxsaruba
mtu 1500
}
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
vif 520 {
address 172.16.220.1/25
description saba-data
}
vif 521 {
address 172.16.220.129/25
description saba-voice
}
}
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.253.12.52 {
distance 1
}
}
}
}
service {
dhcp-relay {
interface eth2.520
interface eth2.521
interface eth0.52
server 172.16.21.5
server 172.16.21.6
}
gui {
https-port 443
}
ssh {
port 22
protocol-version v2
}
}
system {
domain-name wxsaruba.net
host-name uber3-saba-playa
login {
user XXXXXXXX
}
}
name-server 186.148.216.14
ntp {
server 186.148.218.1 {
}
}
offload {
ipsec enable
ipv4 {
forwarding enable
}
ipv6 {
forwarding disable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/La_Paz
}
vpn {
ipsec {
esp-group FOO1 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO1 {
dead-peer-detection {
action restart
interval 15
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0.52
}
site-to-site {
peer 10.253.52.33 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO1
ikev2-reauth inherit
local-address 10.253.12.53
tunnel 1 {
esp-group FOO1
local {
prefix 172.16.220.0/24
}
remote {
prefix 0.0.0.0/0
}
}
}
}
}
}