[SOLVED] Firmware bug + OpenVPN issue with site to site
[SOLVED] Firmware bug + OpenVPN issue with site to site
Hi all!
I come back to communauty and support!
My config:
I have 2 ER7206 (same model)
LAN1 <-> Main site A [ER7206] <- internet -> remote site B [ER7206] <-> LAN2
Site A is an entry point for users with OpenVPN and admin (PPTP for my old Win7 or L2TP for W10 access)
Users connect to site using OpenVPN client (Win or Android) and can access the whole network (LAN1 and LAN2).
I had to update client conf in order to add route for LAN2 (the default client file is not enough)
=> On previous firmware, everything is OK
I have upgraded the firmware today from ER7206(UN)_V1_1.2.0 Build 20220117 to ER7206(UN)_V1_1.2.3 Build 20221104 and finally to ER7206(UN)_V1_1.3.0 Build 20230322
The good think of this firmware is that the bandwith between LAN1 and LAN2 has been improved : On a fiber link 1G/500M, I have measured a badnwith of 200Mbits and a good latency (<5ms) between the 2 sites (they are in the same city)
I have encoutered the same bugs with the 2 last firmwares!
How to reproduce bug 1?
- Site A or B: setup a L2TP access and enable it
- setup a site-to-site using IPSec between Site A and Site B (what ever the IP)
=> Log: WAN: Phase 2 of IKE negotiation failed Error=18
- disbale L2TP access and site-to-site is established within the minute. You can enable it after, connection is not broken. But in case of power outage, we can let others VPN enabled. It is not good.
Another user encountered the same See here
=> It was working with the previous firmware. I think it is a bug.
How to reproduce bug 2?
The second issue is related to OpenVPN a kind of the last issue See here
- setup a site-to-site using IPSec between Site A and Site B (what ever the IP)
- setup an OpenVPN access on Site A
- connect remotely using OpenVPN to Site A: try to ping GW @ Site B : nothing!
The ping is OK if connected by PPTP or L2TP
With the previous firmware, OpenVPN client need to have a additionnal route to access the other part of network, ie remote network.
For my case:
LAN1
But with the 2 last firmware, the OpenVPN client see only the local network attached to the access point, not the remote
OpenVPN client connection
|
LAN1 <-> Main site A [ER7206] <- internet -> remote site B [ER7206] <-> LAN2
=> Client see LAN1 but not LAN2
A trace route shows that no answer is given by Site A (despite a dedicated route is set: I have set manually the route in order to validate) and route is sent to internet from client
Normally, OpenVPN client must be considered as connected on LAN1 and naturally see all the subnets (local, local routed or remote)
I tried using :
- IP in LAN1 subnet
- IP in classical 10.8.0.0/24
- other subnets
=> Always the same result: LAN1 is reachable, LAN2 is not reachable whatever the OpenVPN client Win / Android
=> The issue is in the new firmware!
Does anyone see the same?
Or do I miss something? And what?
If I can access directly to the routeur by CLI, doc is welcome !
Thanks for reading.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi Team!
After an 1 hour debugging session, Parker found the issue!
Wen enabling L2TP + IPsec, IP sec was unable to synchronize ans establish site to site tunnel. The issue can be avoided by :
- setiing 1 site in responder mode (instead of having both in initiator, but it was working before)
- indentificating sites by a name (choose what you want site1, site2...) instead of IP on both routers
And just restart!
The documentation (1910012780_TL-R605&TL-ER7206(UN)1.0_UG.pdf) did not tell that but it is based on a former release. (p143-144). So, just set these settings and everything will be OK
Many thanks to the support team: kindness, availability and competence!
Regards
- Copy Link
- Report Inappropriate Content
Hello I just built 2 lans with 2 omada routers (ER605). Ipsec tunnel site to site works (clients can ping remote lan clients), but if I create openvpn server on router 1, client can only access lan 1 and not ipsec remote lan 2. I think I have tried all the possible setups concerning openvpn server setup. Any ideas?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hello, I am using Omada Cloud Controller version 5.11.44
Gateways are ER605 v 2.0 using Firmware 2.1.2 Build 20230210 Rel.62992
Thanks, Petteri
- Copy Link
- Report Inappropriate Content
Hello @petterik,
Please upgrade the ER605 firmware version to 2.1.4 Beta firmware which has fixed the bug that VPN Client cannot access the other side through IPsec when the device act as a PPTP/L2TP/OpenVPN Server and also establishes IPsec VPN with other devices. You may follow the post link below for details.
ER605 V2_2.1.4_Build 20230727 Beta Firmware For Trial (Released on Aug 2nd, 2023)
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Okay, I found it, it is in controller device
Manage Device ->
Custom Upgrade ->
Please choose the firmware file and upgrade the device.
And you provided the link to firmware.
Got to test it now.
Thanks,
Petteri
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2098
Replies: 17
Voters 0
No one has voted for it yet.