Site to Site VPN using Layer-3 switch issues

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Retinaquester2
Posts: 14
Joined: Sun Jun 03, 2018 11:53 am

Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Sun Jun 03, 2018 12:12 pm

Recently I installed SoftEther VPN to connect two sites.

I try to get 2 LAN with different IP ranges to play nicely together.
If possible only with switching. My SIP Hard-phone for example doesn't support VPN
so I need to provide a bridge, and other solutions have failed because NAT
cause Audio to stop. (Unhandy with a phone).
If no obvious mistakes, please give me some pointers where to look/start trouble shooting.

Setup is for 3 sites (But for this I will connect only one, the other is just repeating steps)

Overview
Headquarters: SoftEther VPN Server.
System: Windows 2012 Server Installed on Vmware Exsi 5.5 with Promiscuous mode enabled).
Network ip Range: 192.168.2.0/24 Subnet: 255.255.255.0
Server IP: 192.168.2.3

VPN-Home-Site: SoftEther Bridge.
System: Windows 10 64Bit
Network: ip Range: 192.168.1.0/24 Subnet: 255.255.255.0
IP: 192.168.1.94

I worked through the basic setup and used. (10.6_Build_a_LAN-to-LAN_VPN_(Using_L3_IP_Routing)
as manuel, to apply the setup to our sites.

Server setup:
Created port forwards to it.
Created 2 Virtual Hubs: VPN-Headquartes-Site and VPN-Home-Site.
Created Local-Bridge (VPN-Headquarters-Site to 192.168.2.0/24 LAN).

Setup Layer-3-Switch:
2 Virtual Devices.
192.168.2.29 Connected to the VPN-HeadQuartes Hub
192.168.1.254 Connected to the VPN-Home-Site Hub

Created Static route (on the server only, because the headquarters router has no Static route options)
Route add 192.168.1.0 MASK 255.255.255.0 192.168.2.29

Setup: Client:
Created Virtual HUB (BRIDGE) and Bridged it to 192.168.1.0/24 LAN
Cascade the HUB (BRIDGE) to the HQserver and connection is ONLINE (established).
Created Static route in the router:
route 192.168.2.0
subnet 255.255.225.0
Gateway 192.168.1.254

So what works...
- Connection with SoftEther Client (not bridge) to the Headquarters works fine.
Acces to whole netwok but only for a single PC.
(So portforwards look OK)
- I tried to Cascade my home work directly on the VPN-Headquarters HUB, Creating a Layer-2 Connection.
This also worked great. It resulted in a Packed-Flood warning because the two DHCP's started to issue IP's
on either site(RTFM). So after some packet filtering was applied I could for the first time use a SIP
phone. To connect from home to the Office-PBX. (SIP phones hate NAT).
- I could at home also put a PC on the IP-range of the office and acces the headquarters LAN.

But the Layer 3 switch is a problem. I can not ping any PC (Not even the server via the VPN.)
I can however from home, reach the Layer-3 Switch virtual device. (so ping 192.168.1.254 works)
When I Tracert from home (192.168.1.0/24) to the server IP 192.168.2.3 I see the first hop router
the Next Hop being the switch 192.168.1.254 and then no next hop.
Server side same story tracert, stops at the Layer-3-Switch.
Switch is enabled, and restarted the Windows 2012 Virtual Machine several times to be sure.

Idea's? or things I can test to see where the problem is.?
If Logs are needed I can add those too. Thanks.
You do not have the required permissions to view the files attached to this post.

Retinaquester2
Posts: 14
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Tue Jun 05, 2018 11:07 am

Hello, again.

I noticed many people checked this topic, but it's a lot of text.
I have looked into the logs and found some relevent info.
Be aware that time-wise the virtual Server HQ did not exact match the client.
so there are some time-differences in the logs.

Please check the attached Log

Can someone shed some light on this?
Why is all the IP data stripped/missing?
ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=0.0.0.0 RelayIP=0.0.0.0,-

It seems that the packets come though. However the client VPN computers.
Try to request a IP adress from a DHCP server. And that is not the idea.
I would like to L3-Switch the network.
Last 2 entries Server-side are about the L3 switch. As you can see it's oparational.
But it seems to be handeling DNS-Query packets only, and it's handeling awkward.
It's sending data to 192.168.1.254 Wich is the Virtual device for my home-site-network...

Please speak your thoughts as well.
If you have a idea where to start I am gratefull too.

Anyone? Thanks
You do not have the required permissions to view the files attached to this post.

brad9785
Posts: 2
Joined: Thu Jun 07, 2018 2:25 am

Re: Site to Site VPN using Layer-3 switch issues

Post by brad9785 » Thu Jun 07, 2018 2:30 am

i think this is something im trying to do as well. except i have a vps because im behind a strict nat and cant get a public ip.

qupfer
Posts: 202
Joined: Wed Jul 10, 2013 2:07 pm

Re: Site to Site VPN using Layer-3 switch issues

Post by qupfer » Thu Jun 07, 2018 6:06 am

Retinaquester2 wrote:

> Why is all the IP data stripped/missing?
> ClientIP=0.0.0.0 YourIP=0.0.0.0 ServerIP=0.0.0.0 RelayIP=0.0.0.0,-
Its not stripped/missing. Its just a DHCP Request, there is no assigned IP yet. So its Broadcast.

I would think, you just miss the Routing entries in your local Gateways. So your Clients did not know, that the other networks are "behind" the corresponding virtual device on server side.
Please verify you take care about the part "10.6.7 LAN-to-LAN VPN Connection". Because your Packet-Log shows only Broadcast packages and SoftEther related DNS queries.

Retinaquester2
Posts: 14
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Fri Jun 08, 2018 7:36 am

Thanks for reaching out,

I have looked to the same section. Again and again.
You put the finger on the sore spot. That is the only part of the
manual that I can not apply to the letter.

Our HQ-office has a router without static route option.
(I never knew that existed, and they call it a buisiness router,
with no option of bridge-ing. So replacing the router doesn't work)

So I put in the VPN server the route's myself, and I am no expert on routing.

(Server itself sits in the 192.168.2.0/24)
Route add 192.168.1.0 Mask 255.255.255.0 192.168.2.29 <-- Home-Site
Route add 192.168.0.0 Mask 255.255.255.0 192.168.2.29 <-- Branch-Office

Both routers (Home and Branch-Office) do support Static routing,
so they have been put in there.

See screenshot: What happends from Home-Site when I run a tracert:
I can reach all the Virtual devices in the L3-Switch.
But nothing beond the switch.

At this point, every PC in all networks can acces all 3 L3-VirtualDevices.
Why not talk to each other then. It feels so close :-)
You do not have the required permissions to view the files attached to this post.

Retinaquester2
Posts: 14
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Sat Jun 09, 2018 10:09 pm

Hi again,

I got it working!!!... Well partially.
The Culprit was the Firewall of the Windows 2012 Server.
I assumed that the Firewall only acted like a perimeter defence, and once
data is on the LAN the firewall would not intervene. Yet it did. So after I cleared
192.168.0.1/24 and 192.168.0.0/24 packets started flowing.

So from Home-Site I can reach every device on HQ with Static routes set.
Strange enough, the other way arround From HQ I can only get to the router.
I now cleared both the Firewall on the router and on the VPN-Bridge, but no dice. Yet

Oh and there is a mistake in a image on the
A._Examples_of_Building_VPN_Networks/10.6_Build_a_LAN-to-LAN_VPN_(Using_L3_IP_Routing)
See Attached image.
You do not have the required permissions to view the files attached to this post.

Retinaquester2
Posts: 14
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Thu Jun 21, 2018 7:56 pm

Hello Again :-)

By now I have been working with this great tool for a while
and I am looking for a premanent Low-power way to connect to my HQ.

The Options are:
Synology NAS
Raspberry Pi
Synology Router

The Synology Nas has been tried by others. However it's very Technical to do.
(needs to compile from Source etc..)
That leaves the Raspberry Pi very well documented and availeble Binaries.

However the Synology Router is basically the designated device for this.
Installing SE VPN server/bridge on it poses probably same problems like
the NAS. However it has a build in package for Site-To-Site LAN With IPSEC.

So I tried/guessed to set the settings, and it does connect to the server.
But the Router never states connected. Has anybody had succes with this.
Or knows what settings have best chances of succes? See screenshots.

Home Network 192.168.1.0/24
HQ Network 192.168.2.0/24

(Look for my Lan topology in the first post)
You do not have the required permissions to view the files attached to this post.

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: Site to Site VPN using Layer-3 switch issues

Post by centeredki69 » Thu Jun 21, 2018 9:03 pm

Did you ever get your original posted issue to work? All 3 location communicating with each other.

Retinaquester2
Posts: 14
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Thu Jun 21, 2018 10:15 pm

Hi,

Yes 3 sites talk to each other, Without using NAT. So only L3 switched.
(So accesing from Branch office via main HQ server to my house Synology NAS works)

However One point at the L3 switched VPN tutorial I could not get to work.
I added both on the Synology Router and a Zyxel router static routes to their respective L3 virtual device.
This did not solve it.

- I still needed to add Static routes to the individual machines to get them to talk.
- On the main SE Server (in my case, Windows 2012 R1 64bit on Vmware Exsi).
Needed to explicitly add 192.168.1.0/24 and 192.168.0.0/24 to pass on Windows Firewall.

Other then that. It has been up and running for a few weeks now. And it feels reliable.
So now I would like to have a bridge not on my Quadcore power guzzling PC. But something more
subtile. :-)

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: Site to Site VPN using Layer-3 switch issues

Post by centeredki69 » Fri Jun 22, 2018 12:20 am

On your original post you never mentioned that you created a "local bridge" at the remote locations (Home-Site).
However you did create one at the server location. A "local bridge" is needed at all sites I believe. I thought this might be the cause of the issues you were having.
The graphic on the L-3 tutorial doesn't label them, but just has green arrows. The L-2 tutorial does label them but with blue arrows.

I have used the L-2 cascade bridge set up with "local bridge" for many years connecting 3 locations. I of course had to use the same IP address range at all location. I set each DHCP servers at each locations to only issue a set range of IP address and made sure none of the ranges overlapped at the other locations. I then filtered out The DHCP protocol in Softether so no DHCP packets would broadcast through the cascade connections. The L-3 setup that you are using is more complicated.

As far as the power issue I bought 2 Qotom-Mini fan-less PC with 4 NIC cards on Amazon. They use a low power laptop like power supply and are silent.
I run Server 2016 on one with the Softether server software on it. The other one use it as a pfSense router/Fierwall.

I do like the Synology NAS boxes. They are good for many different applications other then just being a NAS.

Retinaquester2
Posts: 14
Joined: Sun Jun 03, 2018 11:53 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Retinaquester2 » Sun Jul 01, 2018 8:34 pm

Thanks for the responses.

Well for now I finished my setup. The Synology Router is not willing to connect to the SoftEther VPN server,
with it's Site-to-Site- VPN plus package. The fun part is that SoftEther server see's the connection in the LOG and gives free way.
Correctly identifies the Setup Fase 1 and Fase 2 settings. Also the encryption is correct. But after some time it says:
The "Remote site disconnected" in the log.

The Synology router keeps displaying status "Connecting"

So I tested with the uploads and got a 4,3 Mb/s Filetransfer speed from our office. (Has a 50 mbit upload connection)
That means SE is utilizing 70% - 75% of our maximum upload. I consider that very good.

Today I dusted off a old Raspberry Pi 1, overclocked to 1 Ghz single core. And transfer speed dropped to 1,44 Mb/s
(1 Floppy disk per second ;-) for the oldies here)
For now it's good enough. it means rougly 10 mbit transfer speed and that means no problems with RDP and SIP hard-phone.
I will keep you're advice about a faster alternative.

If this package ever executes on a Synology Nas of Synolgy router, it will blow theire standard VPN and VPN-Plus app out of the water.

Regards

Vreo
Posts: 6
Joined: Fri Mar 15, 2019 1:18 am

Re: Site to Site VPN using Layer-3 switch issues

Post by Vreo » Sun Mar 17, 2019 6:35 pm

Retinaquester2 wrote:
Thu Jun 21, 2018 10:15 pm
Needed to explicitly add 192.168.1.0/24 and 192.168.0.0/24 to pass on Windows Firewall.
Hi! I am running into your same issue, I can't access pcs on the other side, only the layer 3 ip. I think maybe it is the firewall issue... But I disabled entirely the Windows firewall in both server and bridge client and no success... Any clues?

Post Reply