Problem with VPN BONDING

Home Page Forums Network Management ZeroShell Problem with VPN BONDING

This topic contains 1 reply, has 0 voices, and was last updated by  airgamboyz 11 years, 4 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #40737

    airgamboyz
    Member

    Hi!!
    First of all, congratulations for your great work. MAGNIFICO!!!

    I’m trying to link (unsuccesfully) two sites, site A and site B, with a bond of two VPNs using a Zeroshell box (beta 5) at each end.

    Each site have two ADSL router with their respective fixed public IP address.

    –> ADSL_A1 w.w.w.w
    “ZEROSHELL A” !
    –> ADSL_A2 x.x.x.x

    –> ADSL_B1 y.y.y.y
    “ZEROSHELL B” !
    –> ADSL_B2 z.z.z.z

    Each Zeroshell box has two NICs. NIC_A1 and NIC_B1 are in the subnet of their respective private LANs while NIC_A2 and NIC_B2 point to respective DMZs (I want to bridge DMZ of site A with DMZ of site B, so they are configured in the same subnet):

    NIC_A1: 192.168.1.96
    NIC_A2: 10.200.12.11

    NIC_B1: 192.168.10.96
    NIC_B2: 10.200.12.13

    I also set up static routes in both Zeroshell boxes so that it send packets to public IP address of counterpart using correct ADSL router.

    At this moment there’s neither NAT nor CaptivePortal between NICs. I only use the “internal” NICs for gaining access to the “Zeroshell Web Portal” when, because of configuration changes, I lost ping to the “external” NIC. (I’m doing tests with a PC located in DMZ and when lost connection I go to another PC located in private LAN)

    The private IP address of the ADSL routers are in DMZ subnet:

    ADSL_A1: 10.200.12.112 (Default gateway for DMZ Site A)
    ADSL_A2: 100.200.12.113

    ADSL_B1: 10.200.12.132 (Default gateway for DMZ site B)
    ADSL_B2: 10.200.12.133

    Everything WORKS FINE IF I ONLY USE ONE ADSL at each site with ONLY ONE VPN TUNNEL. My setup is:

    1* Make “LAN to LAN – Client Mode VPN” at Site A (connecting to UDP port 1234 of IP public address y.y.y.y) and “LAN to LAN – Server Mode VPN” at Site B listening to port 1234. (All other options are left as they come by default).
    I also made the necesary “port forwarding” in the ADSL_B1 router mapping UDP Port 1234 to internal IP 10.200.12.13 (“Zeroshell B” external NIC)

    2* I get the VPN caption in green color at Zeroshell A and B, showing they are OK.

    3* Zeroshell A and Zeroshell B: Make bridge of “External NIC” and VPN tunnel interface. Reboot each machine.

    4* After rebooting (by the way, is correct that I need to reboot every time I change something in order to get the changes working or am I doing something wrong. Sometimes I need to reboot two or three times.) I’m able to ping from a PC located in site A’s DMZ to another PC located in site B’s DMZ and viceversa. GREAT!!.

    5* If I made the same configuration but using the ADSL_A2 and ADSL_B2 routers for the VPN tunnel, using UDP port 1235 instead of 1234, and connecting to z.z.z.z instead of y.y.y.y, it also works fine. Ergo my static routes at both zeroshell boxes and port forwarding rules in ADSL_B2 router are OK. GREAT TOO!!

    ***** Now I want to try the bonding and here is when my headache starts:

    1* Starting over again from scratch, I create two VPN tunnels (just the same way as above but the two tunnels at the same time). I also create the static routes and the port forwarding rules.

    2* I get the two VPNs “LAN to LAN Client” definitions of site A connected (green captions). Both VPNs share the same X.509 certificate (created by default at definition of Zeroshell-A database). Is this correct?

    3* I get the two VPNs “LAN to LAN Server” definitions of site B connected (green captions). Both VPNs share the same X.509 certificate (created by default at definition of Zeroshell-B database). Is this correct?

    4* I make bond of both VPNs of site A. Type: “Fail tolerance and load balancing”. Primary: VPN through ADSL_A1 and ADSL_B1.

    5* At site A: I don’t assign any IP to VPN interfaces. I don’t assign any IP to “Bond interface”. Is this correct?

    6* I make bond of both VPNs of site B. Type: “Fail tolerance and load balancing”. Primary: VPN through ADSL_A1 and ADSL_B1.

    7* At site B: I don’t assign any IP to VPN interfaces. I don’t assign any IP to “Bond interface”. Is this correct?

    8*. After that, I never get again VPN connections at any Zeroshell box showing the “Connected” status.

    9*. I’ve read in this forum that bond caption is not yet programmed to show the status. So, thinking that perhaps the VPN are connected altough the captions are not showing that (something not programmed yet) I decide to continue.

    10*. Create bridge of “external NIC” with “Bond interface” at site A. Reboot.

    11*. Site A: Assign to the “Bridge interface” the same IP address that had the “External NIC”: 10.200.12.11. Reboot

    12*. Create bridge of “external NIC” with “Bond interface” at site B. Reboot.

    13*. Site B: Assign to the “Bridge interface” the same IP address that had the “External NIC”: 10.200.12.13. Reboot

    14*. Impossible to ping from DMZ computer of Site A to DMZ computer of Site B (bonding is not working).

    15*. Also, impossible to ping from DMZ computer of Site A to IP address of “Zeroshell A” bridge interface. I’ve lost all connection. Zeroshell box is now isolated!!.
    (Connection was lost after creating the “bridge”. After creating the “bond”, still had ping within DMZ of site A)

    16*. At site B occurs exactly the same.

    Please, has anyone been able of getting this “bonding stuff” working correctly?. What am I doing wrong?
    Thanks in advance for any suggestion.

    Juan Lobon
    MADRID (SPAIN)

    #45762

    imported_fulvio
    Participant

    Very strange, your configuration appears correct, but I am not able to reproduce the problem. Let me know if you solved it.

    Fulvio

    #45763

    airgamboyz
    Member

    Thanks for your answer Fulvio.

    Well, finally I got it working. There was a very strange hardware problem with one NIC. I changed it and everything started working.

    However, is not perfect (I’m still in beta5. I’ll post my results here after trying with beta6). Quite often, after a restart of one box, I have to restart two or three more times, the same box (not the other), in order to get it working.
    This is not an Internet-related problem cause, when it occurs, I’m not able to ping Zeroshell box even from the same LAN.

    By the way, I write my conclussions for my other questions:

    * Is not necessary to have more than one certificate at each zeroshell box.

    * Is not necessary to assign IP configuration to VPN tunnels before making the bond.

    * Is not necessary to assign IP configuracion to the bond before making the bridge

    Kind regards.

    Juan Lobon
    MADRID (SPAIN)

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.