I have been trying to get an IPSec VPN to work between an ER-L and an Adtran 3448. I have a dual wan setup with 2 load balancing groups. One that points subnet 172.168.0.0/24 to WAN 1 with WAN 2 as a failover only and one that points subnet 172.16.20.0/24 to WAN 2 with WAN 1 as a failover only. Whole thing works great. Now im trying to getup a VPN between this router and another. I do not have a static IP on the ER-L end but the IP doesnt ever change with the ISP. Either way its only a temporary setup to test a deployment at a site that will have dual wan static IPs. So I programmed everything as if eth0 was a static IP with the exception of the automatically generated static routes for dhcp.
The link shows up and I can ping the far end 192.168.125.0/24 ONLY with /bin/ping -I eth1 and ONLY after I manually generate a static route in the table pointing 192.168.125.0/24 to interface eth0. VTI might be an option down the road if we replace all of the routers in every site with edgerouters and route through OSPF but for now it has to be manually setup.
Local subnets are 172.16.0.0/24, 172.16.20.0/24
Remote subnet is 192.168.125.0/24
Here is my config:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group VPN_NET {
address 192.168.225.0/24
description ""
}
network-group LAN_NETS {
description ""
network 172.16.0.0/24
network 172.16.20.0/24
network 192.168.125.0/24
}
network-group VOIP_NET {
description ""
network 172.16.20.0/24
}
port-group ROUTER_ACCESS {
port ssh
port https
port telnet
}
}
ipv6-name IPV6_WAN_IN {
default-action drop
rule 1 {
action accept
description "Allow established sessions"
state {
established enable
related enable
}
}
rule 2 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
}
ipv6-name IPV6_WAN_LOCAL {
default-action drop
rule 1 {
action accept
description "Allow established sessions"
state {
established enable
related enable
}
}
rule 10 {
action drop
description "Drop invalid connections"
state {
invalid enable
}
}
rule 15 {
action accept
protocol icmpv6
}
rule 20 {
action accept
description "Allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify Failover {
rule 10 {
action modify
destination {
group {
network-group LAN_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
modify {
lb-group Failover
}
}
}
modify Wan2Primary {
enable-default-log
rule 10 {
action modify
destination {
group {
network-group LAN_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
modify {
lb-group Wan2Primary
}
}
}
name VOIP_OUT {
default-action accept
description ""
rule 1 {
action accept
description "Allow IP"
destination {
group {
}
}
log disable
protocol all
source {
group {
address-group VOIP_ALLOW
}
}
}
rule 2 {
action drop
description "Block VPN"
destination {
}
log disable
protocol all
source {
address 192.168.225.0/24
}
}
}
name WAN_IN {
default-action drop
description "packets from Internet to LAN & WLAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from Internet to the router"
enable-default-log
rule 10 {
action accept
description "allow established session to the router"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Allow PPTP"
destination {
port 1723
}
log disable
protocol tcp_udp
}
rule 30 {
action accept
description "Allow GRE for PPTP VPN"
log disable
protocol gre
}
rule 40 {
action accept
description "Allow Ping"
log disable
protocol icmp
source {
address 20.20.20.20
}
}
rule 50 {
action accept
description "Allow SNMP"
log disable
protocol udp
source {
address 20.20.20.20
}
}
rule 60 {
action accept
description "Allow IKE"
destination {
port 500
}
log disable
protocol udp
source {
}
}
rule 70 {
action accept
description "Allow L2TP"
destination {
port 1701
}
log enable
protocol udp
source {
}
}
rule 80 {
action accept
description "Allow ESP"
log disable
protocol esp
}
rule 90 {
action accept
description "Allow NAT-T"
destination {
port 4500
}
log disable
protocol udp
source {
}
}
rule 100 {
action accept
description OpenVPN
destination {
port 1194
}
log disable
protocol udp
}
rule 110 {
action drop
description "drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 111 {
action accept
description "OpenVPN 2"
destination {
port 1192
}
log disable
protocol udp
}
}
name vtun1_OUT {
default-action accept
description ""
rule 1 {
action accept
description "Allow VoIP"
log disable
protocol all
source {
address 172.16.20.0/24
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
ipv6-name IPV6_WAN_IN
name WAN_IN
}
local {
ipv6-name IPV6_WAN_LOCAL
name WAN_LOCAL
}
}
ipv6 {
dup-addr-detect-transmits 1
}
speed auto
traffic-policy {
out UpStream
}
}
ethernet eth1 {
address 172.16.0.1/24
description LAN
duplex auto
firewall {
in {
modify Failover
}
local {
}
}
speed auto
traffic-policy {
out Downstream
}
vif 20 {
address 172.16.20.1/24
description VOIP_VLAN
firewall {
out {
name VOIP_OUT
}
}
mtu 1500
}
}
ethernet eth2 {
address dhcp
description WAN2
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
traffic-policy {
out UpStream2
}
}
loopback lo {
}
openvpn vtun0 {
hash sha256
mode server
openvpn-option --comp-lzo
openvpn-option "--link-mtu 1500"
openvpn-option "--cipher AES-256-CBC"
server {
client client1 {
ip 192.168.226.2
push-route 172.16.20.0/24
push-route 172.16.0.0/24
}
name-server 172.16.0.1
subnet 192.168.226.0/24
}
tls {
ca-cert-file /config/auth/openvpn/CA.crt
cert-file /config/auth/openvpn/server.crt
crl-file /config/auth/openvpn/CA_crl.pem
dh-file /config/auth/openvpn/dh1024.pem
key-file /config/auth/openvpn/server.key
}
}
openvpn vtun1 {
firewall {
out {
name vtun1_OUT
}
}
hash sha256
local-port 1192
mode server
openvpn-option --comp-lzo
openvpn-option "--link-mtu 1500"
openvpn-option "--cipher AES-256-CBC"
server {
client client2 {
ip 192.168.227.2
push-route 192.168.125.0/24
}
client client3 {
ip 192.168.227.3
}
name-server 172.16.0.1
push-route 0.0.0.0/0
push-route 172.16.20.0/24
subnet 192.168.227.0/24
}
tls {
ca-cert-file /config/auth/openvpn/CA.crt
cert-file /config/auth/openvpn/server.crt
crl-file /config/auth/openvpn/CA_crl.pem
dh-file /config/auth/openvpn/dh1024.pem
key-file /config/auth/openvpn/server.key
}
}
}
load-balance {
group Failover {
interface eth0 {
route-test {
count {
failure 4
success 30
}
initial-delay 20
interval 2
type {
ping {
target 8.8.4.4
}
}
}
}
interface eth2 {
failover-only
route-test {
count {
failure 4
success 30
}
initial-delay 20
interval 2
type {
ping {
target 8.8.4.4
}
}
}
}
lb-local enable
}
group Wan2Primary {
interface eth0 {
failover-only
route-test {
count {
failure 4
success 30
}
initial-delay 20
interval 2
type {
ping {
target 8.8.4.4
}
}
}
}
interface eth2 {
route-test {
count {
failure 4
success 30
}
initial-delay 5
interval 2
type {
ping {
target 8.8.4.4
}
}
}
}
lb-local disable
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
wan-interface eth0
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface eth0 {
distance 1
}
}
interface-route 192.168.125.0/24 {
next-hop-interface eth0 {
}
}
route 0.0.0.0/0 {
next-hop 192.168.1.254 {
distance 90
}
}
}
}
service {
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth1.20
name-server 8.8.8.8
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for WAN"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5001 {
description "masquerade for WAN 2"
log enable
outbound-interface eth2
protocol all
type masquerade
}
}
snmp {
community public {
authorization ro
}
}
ssh {
port 22
protocol-version v2
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
listen-on eth1.20 {
outbound-interface eth0
}
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
modules {
sip {
disable
}
}
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name CTS
name-server 8.8.8.8
name-server 8.8.4.4
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
ntp {
server 0.ubnt.pool.ntp.org {
noselect
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
}
ipv6 {
forwarding disable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
traffic-analysis {
dpi enable
export enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
site-to-site {
peer 20.20.20.1 {
authentication {
id 30.30.30.1
mode pre-shared-secret
pre-shared-secret **psk**
}
connection-type initiate
ike-group FOO0
ikev2-reauth inherit
local-address 30.30.30.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 172.16.0.0/24
}
remote {
prefix 192.168.125.0/24
}
}
}
}
}
}
}