How to set edge and core?

[whiskeyjack]

Hi all,

We have a two sites connected by an IPSec VPN tunnel. I have enabled the UDP encapsulation on both sides as I am not sure if the Palo Alto and pfSense allow IPComp so I am assuming they don't.

Both sides are running 1.3.4 and one site is a VM and they other an appliance.

I don't see how to set them as Core and Edge as it was before in the GUI. We don't see the peer in the "peer status" tab and no optimization although traffic is flowing between the devices.

How do we set this so they can "see" each other?

Kind regards,

[ahenning]

Hi,

Edge/Core has been replaced with Compression & Deduplication Optimization levels to be configurable for speed or best reduction rates.

The UDPEncap is not ideal since it introduces additional overhead, but should still work. pfSense is normally fine with the proto 108 and TCP Option 76, but not sure whether the Palo Alto needs additional config. The UDPEncap will only 'kick-in' once the peers detect each other.

Hence getting them to peer would be the first step. Is it possible that the lan0/wan0 is reversed on either end? When UDPEncap is enabled the 'peer detected on lan0' messages are not triggered. If the cabling is correct and no bypass rules are in place, the only other reason they would not peer is if there is no TCP traffic flowing across the vpn to trigger the peering or if either firewall is dropping UDP dst port 4050 traffic. The debug log can be viewed to see if they perhaps did peer but timed out recently. Also the VERBOSE=true will enable a few more debug logs related to peering.

And if one side is another Expand 4930 remember to set jumper JP3

[whiskeyjack]

Hi Antonie,

The jumper is set,  I just noticed the time on my box is severely skewed (set to Jan 2003!) which is probably also contributing to things not behaving correctly. I am going to rebuild it and try again - I have disabled UDPEncap and will try with default settings in the morning.

I notice verbose debug options in /etc/wanos/wanos.conf is reset after a reboot or service reset - is this normal?

[ahenning]

Yes, it is normal for /etc/ but /tce/etc/ should persist during reboots and service resets. Time should not affect optimization though.

Its perhaps a good idea to bump the RAM to 2GB since it might start to complain when the datastore is full. I have about 20x 4930's locally if you ever need quick low cost appliances. Else the Wanos-200 is also a good choice.

[whiskeyjack]

Hi Antonie,

Do I need to enable multisite in this scenario?

I see the peers connect and time out periodically and we will do some proper testing with traffic over the VPN to see if they peer properly.

[ahenning]

If just the two sites, then no need to enabled additional multisite configs. The default rule basically says all traffic will be from the single peer.

Additional MulitSite subnets only become necessary when there are three or more wanos devices.

The timeout is ok if it is due to a lack of traffic on the network. The detection is very quick, basically before the TCP session between the two end systems is established.

[whiskeyjack]

Hi,

Not all the traffic from both sites is going over the VPN, its a test VPN for Wanos. I have upgraded both sides to 1.4.1 and we are still not seeing the sites "up" in the peer status tab.

We have tried copying some files across and have not seen much optimization - the debug logs show them going active and idle but there is no timestamp to see when this happens.

I am sure this should work as a test scenario - or will it perform better if the devices see all the traffic?

We are just verifying if the palo alto does allow the proto 108 and TCP Option 76 through.

[ahenning]

Edit: peer time out can be set in the UI.