Site to Site VPN using Layer-3 switch issues

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Retinaquester2
Posts: 11
Joined: Sun Jun 03, 2018 11:53 am

Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Sun Jun 03, 2018 12:12 pm

Recently I installed SoftEther VPN to connect two sites.

I try to get 2 LAN with different IP ranges to play nicely together.
If possible only with switching. My SIP Hard-phone for example doesn't support VPN
so I need to provide a bridge, and other solutions have failed because NAT
cause Audio to stop. (Unhandy with a phone).
If no obvious mistakes, please give me some pointers where to look/start trouble shooting.

Setup is for 3 sites (But for this I will connect only one, the other is just repeating steps)

Overview
Headquarters: SoftEther VPN Server.
System: Windows 2012 Server Installed on Vmware Exsi 5.5 with Promiscuous mode enabled).
Network ip Range: 192.168.2.0/24 Subnet: 255.255.255.0
Server IP: 192.168.2.3

VPN-Home-Site: SoftEther Bridge.
System: Windows 10 64Bit
Network: ip Range: 192.168.1.0/24 Subnet: 255.255.255.0
IP: 192.168.1.94

I worked through the basic setup and used. (10.6_Build_a_LAN-to-LAN_VPN_(Using_L3_IP_Routing)
as manuel, to apply the setup to our sites.

Server setup:
Created port forwards to it.
Created 2 Virtual Hubs: VPN-Headquartes-Site and VPN-Home-Site.
Created Local-Bridge (VPN-Headquarters-Site to 192.168.2.0/24 LAN).

Setup Layer-3-Switch:
2 Virtual Devices.
192.168.2.29 Connected to the VPN-HeadQuartes Hub
192.168.1.254 Connected to the VPN-Home-Site Hub

Created Static route (on the server only, because the headquarters router has no Static route options)
Route add 192.168.1.0 MASK 255.255.255.0 192.168.2.29

Setup: Client:
Created Virtual HUB (BRIDGE) and Bridged it to 192.168.1.0/24 LAN
Cascade the HUB (BRIDGE) to the HQserver and connection is ONLINE (established).
Created Static route in the router:
route 192.168.2.0
subnet 255.255.225.0
Gateway 192.168.1.254

So what works...
- Connection with SoftEther Client (not bridge) to the Headquarters works fine.
Acces to whole netwok but only for a single PC.
(So portforwards look OK)
- I tried to Cascade my home work directly on the VPN-Headquarters HUB, Creating a Layer-2 Connection.
This also worked great. It resulted in a Packed-Flood warning because the two DHCP's started to issue IP's
on either site(RTFM). So after some packet filtering was applied I could for the first time use a SIP
phone. To connect from home to the Office-PBX. (SIP phones hate NAT).
- I could at home also put a PC on the IP-range of the office and acces the headquarters LAN.

But the Layer 3 switch is a problem. I can not ping any PC (Not even the server via the VPN.)
I can however from home, reach the Layer-3 Switch virtual device. (so ping 192.168.1.254 works)
When I Tracert from home (192.168.1.0/24) to the server IP 192.168.2.3 I see the first hop router
the Next Hop being the switch 192.168.1.254 and then no next hop.
Server side same story tracert, stops at the Layer-3-Switch.
Switch is enabled, and restarted the Windows 2012 Virtual Machine several times to be sure.

Idea's? or things I can test to see where the problem is.?
If Logs are needed I can add those too. Thanks.
Attachments
Layer-3.png
Layer-3 Switch settings
LAN-topology.jpg
Lan Topology

Retinaquester2
Posts: 11
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Tue Jun 05, 2018 11:07 am

Hello, again.

I noticed many people checked this topic, but it's a lot of text.
I have looked into the logs and found some relevent info.
Be aware that time-wise the virtual Server HQ did not exact match the client.
so there are some time-differences in the logs.

Please check the attached Log

Can someone shed some light on this?
Why is all the IP data stripped/missing?
ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=0.0.0.0 RelayIP=0.0.0.0,-

It seems that the packets come though. However the client VPN computers.
Try to request a IP adress from a DHCP server. And that is not the idea.
I would like to L3-Switch the network.
Last 2 entries Server-side are about the L3 switch. As you can see it's oparational.
But it seems to be handeling DNS-Query packets only, and it's handeling awkward.
It's sending data to 192.168.1.254 Wich is the Virtual device for my home-site-network...

Please speak your thoughts as well.
If you have a idea where to start I am gratefull too.

Anyone? Thanks
Attachments
Packet-Log.txt
(3.1 KiB) Downloaded 14 times

brad9785
Posts: 2
Joined: Thu Jun 07, 2018 2:25 am

Re: Site to Site VPN using Layer-3 switch issues

Post by brad9785 » Thu Jun 07, 2018 2:30 am

i think this is something im trying to do as well. except i have a vps because im behind a strict nat and cant get a public ip.

qupfer
Posts: 200
Joined: Wed Jul 10, 2013 2:07 pm

Re: Site to Site VPN using Layer-3 switch issues

Post by qupfer » Thu Jun 07, 2018 6:06 am

Retinaquester2 wrote:

> Why is all the IP data stripped/missing?
> ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=0.0.0.0 RelayIP=0.0.0.0,-
Its not stripped/missing. Its just a DHCP Request, there is no assigned IP yet. So its Broadcast.

I would think, you just miss the Routing entries in your local Gateways. So your Clients did not know, that the other networks are "behind" the corresponding virtual device on server side.
Please verify you take care about the part "10.6.7 LAN-to-LAN VPN Connection". Because your Packet-Log shows only Broadcast packages and SoftEther related DNS queries.

Retinaquester2
Posts: 11
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Fri Jun 08, 2018 7:36 am

Thanks for reaching out,

I have looked to the same section. Again and again.
You put the finger on the sore spot. That is the only part of the
manual that I can not apply to the letter.

Our HQ-office has a router without static route option.
(I never knew that existed, and they call it a buisiness router,
with no option of bridge-ing. So replacing the router doesn't work)

So I put in the VPN server the route's myself, and I am no expert on routing.

(Server itself sits in the 192.168.2.0/24)
Route add 192.168.1.0 Mask 255.255.255.0 192.168.2.29 <-- Home-Site
Route add 192.168.0.0 Mask 255.255.255.0 192.168.2.29 <-- Branch-Office

Both routers (Home and Branch-Office) do support Static routing,
so they have been put in there.

See screenshot: What happends from Home-Site when I run a tracert:
I can reach all the Virtual devices in the L3-Switch.
But nothing beond the switch.

At this point, every PC in all networks can acces all 3 L3-VirtualDevices.
Why not talk to each other then. It feels so close :-)
Attachments
Untitled.png

Retinaquester2
Posts: 11
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Sat Jun 09, 2018 10:09 pm

Hi again,

I got it working!!!... Well partially.
The Culprit was the Firewall of the Windows 2012 Server.
I assumed that the Firewall only acted like a perimeter defence, and once
data is on the LAN the firewall would not intervene. Yet it did. So after I cleared
192.168.0.1/24 and 192.168.0.0/24 packets started flowing.

So from Home-Site I can reach every device on HQ with Static routes set.
Strange enough, the other way arround From HQ I can only get to the router.
I now cleared both the Firewall on the router and on the VPN-Bridge, but no dice. Yet

Oh and there is a mistake in a image on the
A._Examples_of_Building_VPN_Networks/10.6_Build_a_LAN-to-LAN_VPN_(Using_L3_IP_Routing)
See Attached image.
Attachments
10-6-1.png

Retinaquester2
Posts: 11
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Thu Jun 21, 2018 7:56 pm

Hello Again :-)

By now I have been working with this great tool for a while
and I am looking for a premanent Low-power way to connect to my HQ.

The Options are:
Synology NAS
Raspberry Pi
Synology Router

The Synology Nas has been tried by others. However it's very Technical to do.
(needs to compile from Source etc..)
That leaves the Raspberry Pi very well documented and availeble Binaries.

However the Synology Router is basically the designated device for this.
Installing SE VPN server/bridge on it poses probably same problems like
the NAS. However it has a build in package for Site-To-Site LAN With IPSEC.

So I tried/guessed to set the settings, and it does connect to the server.
But the Router never states connected. Has anybody had succes with this.
Or knows what settings have best chances of succes? See screenshots.

Home Network 192.168.1.0/24
HQ Network 192.168.2.0/24

(Look for my Lan topology in the first post)
Attachments
Screen-21.jpg
Screen-11.jpg

centeredki69
Posts: 14
Joined: Wed Sep 18, 2013 1:49 pm

Re: Site to Site VPN using Layer-3 switch issues

Post by centeredki69 » Thu Jun 21, 2018 9:03 pm

Did you ever get your original posted issue to work? All 3 location communicating with each other.

Retinaquester2
Posts: 11
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Thu Jun 21, 2018 10:15 pm

Hi,

Yes 3 sites talk to each other, Without using NAT. So only L3 switched.
(So accesing from Branch office via main HQ server to my house Synology NAS works)

However One point at the L3 switched VPN tutorial I could not get to work.
I added both on the Synology Router and a Zyxel router static routes to their respective L3 virtual device.
This did not solve it.

- I still needed to add Static routes to the individual machines to get them to talk.
- On the main SE Server (in my case, Windows 2012 R1 64bit on Vmware Exsi).
Needed to explicitly add 192.168.1.0/24 and 192.168.0.0/24 to pass on Windows Firewall.

Other then that. It has been up and running for a few weeks now. And it feels reliable.
So now I would like to have a bridge not on my Quadcore power guzzling PC. But something more
subtile. :-)

Post Reply