Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[chechito]

i have a dfl 800 with latest firmware

IPSEC VPN works fine on wan 1 interface

Published services work fine in wan 1 and wan 2 interfaces.

Firewall its manageable by wan 1 and wan 2 ok

Outbound traffic its splitted nicely between wan 1 and wan 2 interfaces according to policies established an PBR.


My problem is that IPSEC des not works on wan 2 interface y dont have any logs on firewall.

How to make work ipsec vpn in multiple interfaces???

[silver_surfer30]

I have almost the same issue but a little difference in the config.
I have 2 internet access and using dynamic outbound load balancing on both internet access unsing destination algorithm.

main default route is pppoe1 with lower metric and monitor on both interface (pppoe1 and pppoe2)

my issue is that roaming user with ipsec client cannot access to network via wan1 interface but only via wan2.

my routing table are as follow:

main : lan lannet, dmz dmznet wan wannet all with metric 100
         pppoe1 all-nets metric 95 pppoe all-nets metric 96 both monitored.

pbr : lan lannet, dmz dmznet wan wannet all with metric 100
       pppoe2 all-nets 95

routing rules is forward chain main, return chain pbr, all-services, any all-nets core pppoe2ip

with this configuration I cannot force ipsec roaming users to connect to lannet via pppoe1

Any idea will be appreciated

[navi]

Hi,

I know that topic is quite old, but does anybody know the solution for this?

I found at clavister forum (clavister and dlink has the same/very similar firmware?) post about this isue:

https://forums.clavister.com/viewtopic.php?f=8&t=3934

Does anybody get it working with DFL ?

[chechito]

same issue here with dfl 800 210 and 260

i have to use wan 1 using ipsec and wan 2 using pptp but cannot do ipsec by wan 1 and wan 2 at the same time.

The only way to change this was changing main routing table and reboot the device and can change the ipsec to wan 2 but unusable by  wan 1

[danilovav]

If really, it's very simple

First, make static routes for each IPsec remove endpoint thru corresponding WAN interface
Keep default route for one of WANs into "main" routing table

Then, make routing table "alt_wan1" with type "only"
Add into it route all-nets wan1 wan1_gw 100 (gw - if necessary)
Make PBR wan1/all-nets any/all-nets, forward main, return alt_wan1

Do the same for wan2

By this way, DFL will process incoming connections from each wan interface without default route in main table

[navter]

danilovav: Could You write a little bit more ?
Have You tested this ?


BTW. Is it possible to have multiply l2tp Servers ?
First server listening on wan1_ip1 and wan2_ip1,
Second listening on wan1_ip2 and wan2_ip2.

I'm asking because I want to have 2 different VPN user groups with different lan access.
Example: VPNUsers have access to LAN ftp and www servers, VPNUsers2 access to mailserver.

I tried to set up:
Interfaces->ipesc->ipsec1:
Local net=wan1_ip1
Interfaces->ipesc->ipsec2:
Local net=wan1_ip2

Interfaces->pptp/l2tp servers->server1:
outer server ip=wan1_ip1
Interfaces->pptp/l2tp servers->server2:
outer server ip=wan1_ip2

But I can connect only to server1 (ikesnoop -on -verbose).  I can ping from outside both wan1_ip1 and wan1_ip2.

My wan1 interface is:
interfaces->ethernet->wan1->ip address = wan1_ip1


Navi

[danilovav]

>Could You write a little bit more ?
What do you want to know more? As fact it's solution for processing of incoming packets from each wan interface separately

>Have You tested this ?
Yes, i use this logic in almost all multi-wan cases

>Is it possible to have multiply l2tp Servers ?
Yes, you can specify listen address on PPP server and terminator IP under user auth rule

>I'm asking because I want to have 2 different VPN user groups with different lan access
Your way is possible
But you can assign address for each user statically and make IP rules on the base of user groups (source address)

>But I can connect only to server1
Show Status >Routes

[navter]

Show Status >Routes

Main table:
D    XXX.XXX.199.137   wan1         80
D    XXX.XXX.199.141   dmz         80
   YYY.YYY.165.26   core   (Iface IP)   0
   YYY.YYY.165.27   core   (Iface IP)   0
   YYY.YYY.165.28   VLANDMZWAN2      0
   YYY.YYY.165.29   core   (Iface IP)   0
   XXX.XXX.199.138   core   (Iface IP)   0
   XXX.XXX.199.139   core   (Iface IP)   0
   XXX.XXX.199.142   core   (Iface IP)   0
   192.168.100.10   core   (Iface IP)   0
   10.24.76.10   core   (Iface IP)   0
   127.0.0.1   core   (Iface IP)   0
   XXX.XXX.199.140   dmz         60
   XXX.XXX.199.136/29   switched   80
   192.168.100.0/24   VLanWiFi   100
   10.24.76.0/22   lan         100
   224.0.0.0/4   core   (Iface IP)   0
M    0.0.0.0/0   wan1   XXX.XXX.199.137   80
   0.0.0.0/0   wan2   YYY.YYY.165.25   90

Wan2ReturnTraffic table(ordering First):

0.0.0.0/0   wan2   YYY.YYY.165.25      60

I have routing rule:
ReturnRouteWan2      wan2/all-nets  any/all-nets    all_services   

>I'm asking because I want to have 2 different VPN user groups with different lan access
Your way is possible
But you can assign address for each user statically and make IP rules on the base of user groups (source address)

But I want to have one static user db and second radius. So I have to use two seperate servers.

>Could You write a little bit more ?
What do you want to know more? As fact it's solution for processing of incoming packets from each wan interface separately

So in my case there would be 3 routing tables? Main +Returnwan2(only) +returnwan1(only) ??

[danilovav]

>Show Status >Routes
Bewteen what interfaces do you use transparent mode?

>Wan2ReturnTraffic table(ordering First):
Change to "only"

>I have routing rule:
Forward routing table - main, return alt?

>But I want to have one static user db and second radius. So I have to use two seperate servers.
Yes, in this case you need to configure additional servers
As result, 4 - 2 for each interface

>So in my case there would be 3 routing tables? Main +Returnwan2(only) +returnwan1(only) ??
It's ideal case. But your configuration is also possible

[navter]

>Show Status >Routes
>Bewteen what interfaces do you use transparent mode?
Wan1 and DMZ. I will try later to do the same with wan2 and dmzvlan to provide
full link backup to servers in DMZ.

>Forward routing table - main, return alt?
Yes - forward main, return Wan2ReturnTraffic

>Yes, in this case you need to configure additional servers
>As result, 4 - 2 for each interface
Reasonable.

I will try configuring 3 routing tables and post results.

[navter]

danilovav: are You using DFL-800 with latest firmware 2.27.03.25-14780?

Setting up 2 l2tp servers is impossible.

First: DFL-800 is not listening on second wan1 public ip address(ARP published, core route) when it's setup as listen address on l2tp server.
I'm mapping one port using second wan1 public ip(SAT+NAT rule), so dfl is reachable with second ip from internet for sure.

Second: When 2 interface->ipesc tunnels are set up(for different l2tp servers) with different PSK,
l2tp server is always expecting PSK from first in configured ipsec tunnels list, even if outer interface of l2tp server is set up with second in configured ipsec tunnels list.

[danilovav]

>are You using DFL-800 with latest firmware 2.27.03.25-14780?
Yes

>Setting up 2 l2tp servers is impossible.
L2TP is possible, but L2TP over IPsec - not possible because IPsec can't be processed thru additional IP
For that case, use PPTP