Peer Status down over IPSec VPN

[rhunton]

Afternoon,
I currently have two subnets I'm trying to implement WanOS over. They are 192.168.1.0/24 & 192.168.2.0/24

I have installed VMware ESXi 5.5 on two HP Microservers and installed a dual port network card into each of these, they are both running 6gb ram.

I've assigned LAN0 one network card and WAN0 a separate network card, the management kernel is on the third network card.
This is identical on both servers.

All Standard vSwitches have the promiscuous mode set.

Every time I attempt to view Peer Status it just says down.

I did notice last night after reading some of the forum posts that my MTU was set wrong, WanOS was set to 1500 and the max that my broadband supports is 1442, I am using PPPoE authentication for connecting to my broadband supplier so have dropped this to 1400 on both routers, this should account for the additional header that PPPoE requires.

I can ping the remote networks fine, when I tracer route from a client on the network I get the following:
192.168.1.108 - My PC
192.168.1.1 - My Router
* * * *
I get 14 of these
* * * *
192.168.2.1

My next step is to bring the remote server to my house and build a test network to see if I can get the peer status up.

Is there anything obvious that I'm missing??

Cheers

Rob

[ahenning]

Hi Rob,

ICMP is passed through untouched, but TCP traffic should trigger the peers to come online. If there is continuous traffic they will stay online. If there is no more traffic they will timeout after 60 seconds, indicating that the peer might be down. The peers will re-established before the first TCP handshake is complete.

If they are not coming online at all, then it is something else. For the peers to detect each other TCP Option 76 is used. It happens that some Firewall and NAT devices strip the TCP Options. To see if the options are arriving from the remote end subnets, we can troubleshoot this with:
tcpdump -i wan0 | grep mss
If they arrive, the peer should be up.

It is also possible that one of the appliances have the lan0/wan0 swapped and some 'peer detected on lan0' messages would be logged.

The MTU at 1400 could potentially create a problem depending on the interface its configured on. Wanos will reduce the MSS to 1320 for optimized traffic to provide sufficient headroom for high overhead vpn scenarios. Its rarely needed to adjust MTU settings.

Rule of thumb, if traffic is flowing fine before installing Wanos, then after install it should be exactly the same.

As a last resort, if the TCP Options are stripped and there is no way to resolve it, the encap can be set to GRE or UDP in the gui on both ends.

Edit: You don't perhaps have any bypass rules configured?

[rhunton]

Hello Ahenning,
I got everything working in the end I'm glad to say.
I removed all rules, double checked all the cabling and then accesses a file share, within a couple of seconds the peers came up.
I've done a bit of testing and so far so good, I'm beginning to think my boxes aren't quite quick enough for my 12mb & 18mb upload or I need to drop optimization to low and give the servers chance to reply.

My next steps are to remove VMware and buy 2 x 120GB SSD drives and deploy the appliance image directly onto them giving them the following spec:
◾Processor 1 x AMD Turion II Neo N54L / 2.2 GHz ( Dual-Core )
◾8GB RAM
◾120GB SSD

Would to estimate that the above spec would be fast enough for the uploads I've quoted?

One thing I was going to ask now I'm almost up and running fully, is there a way to set the correct time automatically? I can use the time command to do it but on reboot it defaults back. Ideally NTP would be very useful option.

[ahenning]

Hi Rob,

Setting the time in the GUI has been added in 1.5.0 which might become 2.0.0 before release. From the cli running 'sudo hwclock --systohc' will sync the hwclock. This should work if wanos is running directly on the appliance, but as a vm on ESXi it would be best to set the time on the host.

The ram and ssd will be ample. The question will be whether the CPU is going to make it. Since its a point to point link the 2 cores will be sufficient. Compared to the D525 the peak throughput should be close to double. If both sides have SSD's, on 'high' I estimate the peak wan throughput will be about 20 Mbps and on the Lan side max 40-50 Mbps.