Quantcast
Channel: All EdgeRouter posts
Viewing all articles
Browse latest Browse all 60861

Re: IPSec VPN not working 1.9.0 - any tips for debugging?

$
0
0

BranoB wrote:

Post your entire updated config, let's review.


Here you go. Thanks again for your help with this.

 

 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-name WANv6_IN {
         default-action drop
         description "WAN inbound traffic forwarded to LAN"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 201 {
             action accept
             description "icmpv6 destination-unreachable"
             icmpv6 {
                 type destination-unreachable
             }
             protocol ipv6-icmp
         }
         rule 202 {
             action accept
             description "icmpv6 packet-too-big"
             icmpv6 {
                 type packet-too-big
             }
             protocol ipv6-icmp
         }
         rule 203 {
             action accept
             description "icmpv6 time-exceeded"
             icmpv6 {
                 type time-exceeded
             }
             protocol ipv6-icmp
         }
         rule 204 {
             action accept
             description "icmpv6 parameter-problem"
             icmpv6 {
                 type parameter-problem
             }
             protocol ipv6-icmp
         }
         rule 205 {
             action accept
             description "icmpv6 echo-request"
             icmpv6 {
                 type echo-request
             }
             protocol ipv6-icmp
         }
     }
     ipv6-name WANv6_LOCAL {
         default-action drop
         description "WAN inbound traffic to the router"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "Allow IPv6 icmp"
             protocol ipv6-icmp
         }
         rule 40 {
             action accept
             description "allow dhcpv6"
             destination {
                 port 546
             }
             protocol udp
             source {
                 port 547
             }
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 21 {
             action accept
             description "Allow IKE for Remote VPN Server"
             destination {
                 port 500
             }
             log enable
             protocol udp
         }
         rule 22 {
             action accept
             description "Allow L2TP for Remote VPN Server"
             destination {
                 port 1701
             }
             log enable
             protocol udp
         }
         rule 23 {
             action accept
             description "Allow ESP for Remote VPN Server"
             log enable
             protocol 50
         }
         rule 24 {
             action accept
             description "Allow NAT-T for Remote VPN Server"
             destination {
                 port 4500
             }
             log enable
             protocol udp
         }
     }
     options {
         mss-clamp {
             interface-type all
             mss 1382
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         description WAN
         duplex auto
         pppoe 0 {
             default-route auto
             dhcpv6-pd {
                 pd 0 {
                     interface switch0 {
                         host-address ::1
                         prefix-id :0
                         service slaac
                     }
                     prefix-length /64
                 }
                 rapid-commit enable
             }
             firewall {
                 in {
                     ipv6-name WANv6_IN
                     name WAN_IN
                 }
                 local {
                     ipv6-name WANv6_LOCAL
                     name WAN_LOCAL
                 }
             }
             ipv6 {
                 address {
                     autoconf
                 }
                 dup-addr-detect-transmits 1
                 enable {
                 }
             }
             mtu 1492
             name-server auto
             password xxx
             user-id xxx
         }
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         duplex auto
         poe {
             output off
         }
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description WLAN
         duplex auto
         poe {
             output 24v
         }
         speed auto
     }
     ethernet eth5 {
         description TV
         duplex auto
         speed auto
     }
     loopback lo {
     }
     switch switch0 {
         address 10.0.0.1/24
         description LAN
         mtu 1500
         switch-port {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
     }
 }
 protocols {
     static {
         interface-route6 ::/0 {
             next-hop-interface pppoe0 {
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name LAN {
             authoritative enable
             subnet 10.0.0.0/24 {
                 default-router 10.0.0.1
                 dns-server 10.0.0.1
                 lease 86400
                 start 10.0.0.38 {
                     stop 10.0.0.200
                 }
                 static-mapping Lounge-TV {
                     ip-address 10.0.0.30
                     mac-address ac:9b:0a:f6:70:e7
                 }
                 static-mapping Unifi-AP {
                     ip-address 10.0.0.20
                     mac-address 44:d9:e7:f2:aa:fe
                 }
                 unifi-controller 90.155.76.33
             }
         }
         use-dnsmasq disable
     }
     dns {
         forwarding {
             cache-size 150
             listen-on switch0
         }
     }
     gui {
         ca-file /config/auth/ca-cert.pem
         cert-file /config/auth/cert.pem
         http-port 80
         https-port 443
         older-ciphers disable
     }
     nat {
         rule 5010 {
             description "masquerade for WAN"
             outbound-interface pppoe0
             type masquerade
         }
     }
     ssh {
         disable-password-authentication
         port 22
         protocol-version v2
     }
     upnp {
         listen-on switch0 {
             outbound-interface pppoe0
         }
     }
 }
 system {
     domain-name xxx.xxx
     host-name xxx
     login {
         user xxx {
             authentication {
                 encrypted-password $6$E9CFaCH5yhRnt47$jwmYDQYGXSx8bgGN8m2fL7VUrW6.mDP3pdVT2.We1x.m7C8dXqqkR.VEibQhwiCjAP2.r2wcZAB.QTTdi9GcH0
             }
             level admin
         }
     }
     name-server 217.169.20.20
     name-server 217.169.20.21
     name-server 2001:8b0::2020
     name-server 2001:8b0::2021
     ntp {
         server 0.uk.pool.ntp.org {
         }
         server 1.uk.pool.ntp.org {
         }
         server 2.uk.pool.ntp.org {
         }
         server 3.uk.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone Europe/London
     traffic-analysis {
         dpi enable
         export enable
         signature-update {
             update-hour 2
         }
     }
 }
 vpn {
     ipsec {
         auto-firewall-nat-exclude enable
         ipsec-interfaces {
             interface pppoe0
         }
         nat-networks {
             allowed-network 0.0.0.0/0 {
             }
         }
         nat-traversal enable
     }
     l2tp {
         remote-access {
             authentication {
                 local-users {
                     username myUser {
                         password myPassword
                     }
                 }
                 mode local
             }
             client-ip-pool {
                 start 10.0.0.201
                 stop 10.0.0.220
             }
             dns-servers {
                 server-1 8.8.8.8
                 server-2 8.8.4.4
             }
             ipsec-settings {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret myPreSharedKey
                 }
                 ike-lifetime 3600
             }
             mtu 1342
             outside-address 0.0.0.0
         }
     }
 }

Viewing all articles
Browse latest Browse all 60861

Trending Articles