See HERE and for throughput expectations.įirmware 2.x and above, you need to login to the CLI and run the below commands configure If your connection is not too high speed, change the encryption to AES-256 as its a bit harder to hack. This makes the keysize 4096 bits vs 2048 bits. Some security things you should set that wont effect performance too much is to change the DH group to 16. Check the logs section and the Other things section for some hints on what could be causing it.ĭownloading the backup file and looking at the config.boot is also very helpful. Sometimes removing the VPN from the config tree, rebooting, then resetting up the VPN gets it to connect again, However, the issue causing it is not fixed. They are: See the IPsec Site to Site routing policy: shown vpn ipsec policy There are some cli commands that are useful for checking the configuration too. You can also manually delete it from the config and reconfigure it again.
You want to go to the config tree and check the contents of the ipsec tab. I recommend this first, but it does not tell you everything. One is through the GUI in the vpn – ipsec site to site tab. There are a few ways to check the config on the Edgerouter devices. If they are not open, make sure to add those rules manually. You can test this with the nmap command “nmap $IP_OR_FQDN -Pn -sU -p $port” changing the variables to your condition. You will also want to allow any esp traffic through the firewall. They are UDP 5(these might just be fore l2tp).
Check open portsĮven though you have the open ports box ticked, it is a good idea to check if the ports are open for ipsec. I can’t tell you how many times I’ve sat and waited for a tunnel to come up after a config change, only to give up and reboot for it to magically work. Also rebooting often after configuration changes is a good idea, as the commands to restart the VPN’s seems either to not work or take a long time. Reboot Often!įor some strange reason, rebooting both sides sometimes can easily fix the issue. Below are some troubleshooting steps I go through whenever an issue pops up. Edgerouters use StrongSwan for its VPN, so some of its troubleshooting information should be useful to us. However, sometimes they just refuse to connect, with no real reason as to why. I’ve setup a Policy based IPsec site to site configuration using this guide here. I have a client setup with multiple Edgerouter’s in an IPSec Site to Site configuration.
0 kommentar(er)
