Hi, I have a 'fun' question I have been banging my head against this problem for the last few days, and now I realize I really need to ask forum for brief pointer.
- I have a client site with 2 x ERLite units that were deployed approx 6 months ago, with the then-current 1.8 firmware. They were updated to 1.8.5 a few months back and were running fine
- at time of deployment, I setup, with relative ease and joy, a straightforward site-to-site IPSEC VPN using the bilt-in web GUI. Each site has a Dyn based Dynamic DNS Public WAN IP address. ERLite is doing the Dyn updates and this all seems fine.
- last week it stopped working. It might have been due to someone changing the dyn password behind my back / and breaking DynDNS - but I believe the actual IPs change very infrequently (if ever?) so I'm not 100% sure that is related. Regardless, I changed the dyn admin IP back to what it was before, so that the Dyn updater client would 'start working again' on the config already in place on my 2 x ERLite units.
- so: DynDNS is fine. But now the Site-to-Site VPN tunnel was just not working.
- I did a firmware update to latest (1.9.X) 2 nights ago since I like to keep things current; and hoped that a reboot of the ERLite units would maybe help kick a clean start on VPN tunnels and things might start working again. No Joy.
- current status, I have removed and replaced the IPSEC config a few times; manually scrubbed config via CLI to be relatively confident it is gone. Tried at one point throwing on a site-to-site config with OpenVPN and had issues with that as well.
- so I'm back to .. trying to just get IPSEC operating.
- and I wonder if people can tell me, where for example can I see *errors* logged ? I have been using a mix of commands I found in forum posts, such as,
ONCE I GOT: root@office-firewall:/var/log# show vpn ipsec sa peer-CLIENTSITE.dnsalias.org-tunnel-1: #6, CONNECTING, IKEv1, cc50ef50defb8a23:8e38fd7e6929218c local '%any' @ 24.202.251.14 remote '%any' @ 24.202.249.150 AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 queued: QUICK_MODE active: ISAKMP_VENDOR MAIN_MODE ISAKMP_NATD root@office-firewall:/var/log# but more typically this command shows me NOTHING
and also
for example,
root@office-firewall:/var/log# show vpn debug peer @CLIENTSITENAME.dnsalias.org
VPN ipsec not configured
or
show vpn log
gives me tons of stuff such as,
.....
Dec 13 07:40:34 13[IKE] <peer-CLIENTSITENAME.dnsalias.org-tunnel-1|4> initiating Main Mode IKE_SA peer-CLIENTSITENAME.dnsalias.org-tunnel-1[4] to 24.202.249.150
Dec 13 07:42:57 08[IKE] <5> 24.202.249.150 is initiating a Main Mode IKE_SA
Dec 13 07:43:20 09[KNL] creating acquire job for policy 192.168.10.58/32[udp/56069] === 10.10.96.31/32[udp/snmp] with reqid {1}
Dec 13 07:43:20 10[IKE] <peer-CLIENTSITENAME.dnsalias.org-tunnel-1|6> initiating Main Mode IKE_SA peer-CLIENTSITENAME.dnsalias.org-tunnel-1[6] to 24.202.249.150
root@office-firewall:/var/log#
OR
systems@brewery:~$ show vpn ipsec status
IPSec Process Running PID: 17482
0 Active IPsec Tunnels
IPsec Interfaces :
systems@brewery:~$
So, it looks like VPN is trying to initiate, but failing.
Forum post hints this morning, I found one thing that suggested I change at both sites via CLI,
from INITIATE to RESPOND
ie,
set vpn ipsec site-to-site peer CLIENTSITENAME.dnsalias.org connection-type respond
which I've done. And this appears to have changed nothing.
So, end of the day I guess I'm wondering
- has anyone else seen this, where a good solid VPN site to site setup has stopped working, and refuses to start working ?
- any hints on where to see error messages in more detail ?
- any hints on maybe known issues with more recent (1.8.5 and 1.9) firmmware, where things used to work better on 1.8.0? (Although strictly speaking for me 1.8.5 was perfectly solid for months ..)
Sigh. I'm just really frustrated banging my head against this for hours, and getting nowhere.
Thanks for any help - pointers.
Tim Chipman