at cakeis not alie looking for Ubiquiti experience

ryanblahnik

I invited Trevor over here, but is anybody here with experience and a Twitter account just hanging out?

<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Hey Twitter, any of you guys know a lot about Ubiquiti routers? I need help with VPNs</p>— Pott,T: Evil Minion (@cakeis_not_alie) <a href="https://twitter.com/cakeis_not_alie/status/738432616710299649">June 2, 2016</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>

(results of embed code)

Dashrender

What kinda of experience you looking for?
@JaredBusch is a pretty good resource

scottalanmiller

I use Twitter a lot, what do you want to know?

scottalanmiller

And Trevor has long been here, he has the same handle as his Twitter.

ryanblahnik

--

ryanblahnik

do any non-letter/number characters in titles mess you up on Twitter, or is there a list to avoid?

scottalanmiller

@ryanblahnik said in at cakeis_not_alie looking for Ubiquiti experience:

do any non-letter/number characters in titles mess you up on Twitter, or is there a list to avoid?

Oh yeah, if you want to Tweet directly from here, avoid any special chars in the title.

cakeis_not_alie

So here is the deal:

Executive Level Body purchased two Ubiquiti Edgemax devices. One for his network one for his office network. He demands that the site-to-site VPN be set up between them.

Unit on his end needs to be a NAT router for his home network(s). Unit on this end is only for his VPN access and nothing else.

No matter how this is set up, Executive Level Body must be able to use the UI on the routers (both of them) to change IPs of the VPN configuration and/or the shared secret and have it work.

No, he cannot use the command line. Any solution which requires ongoing configuration of the devices to use the command line is simply not acceptable for this situation.

The units are running EdgeRouter Lite 1.8.0.

I have absolutely no idea how to configure these things. I have attached a picture below to show what I have attempted. It is the same on both sides, with the exception of the target external IP (naturally) and the description.

I have no made changes to the firewall. There is a tickbox on the router that looks like it will do so, but no firewall rules appear to be created (at least in the UI).

Help!

JaredBusch

@cakeis_not_alie said in at cakeis not alie looking for Ubiquiti experience:

So here is the deal:

Executive Level Body purchased two Ubiquiti Edgemax devices. One for his network one for his office network. He demands that the site-to-site VPN be set up between them.

Unit on his end needs to be a NAT router for his home network(s). Unit on this end is only for his VPN access and nothing else.

No matter how this is set up, Executive Level Body must be able to use the UI on the routers (both of them) to change IPs of the VPN configuration and/or the shared secret and have it work.

No, he cannot use the command line. Any solution which requires ongoing configuration of the devices to use the command line is simply not acceptable for this situation.

The units are running EdgeRouter Lite 1.8.0.

I have absolutely no idea how to configure these things. I have attached a picture below to show what I have attempted. It is the same on both sides, with the exception of the target external IP (naturally) and the description.

I have no made changes to the firewall. There is a tickbox on the router that looks like it will do so, but no firewall rules appear to be created (at least in the UI).

Help!

Your problem is the 'any' in the Local IP field.
In order to stay out of command line, you need to do this.

1. Setup a dynamic dns entry with some service for the home office side. I use afraid.org for this generally.
2. In the config on the office side, the peer will be the dynamic dns value.
3. In the config on the office side, the Local IP will be the static address of the office.
   
4. In the config for the home office side, set the peer to the public IP (or DNS name) of the office.
5. In the config for the home office side, set the local IP to the current IP address. Do not use any it does not work right.
6. The user will have to update his local router config whenever his local IP changes.

JaredBusch

Here is a post I had on issues with 1.8 and IPSEC VPN.
http://community.ubnt.com/t5/EdgeMAX/ERL-Upgrade-from-1-7-to-1-8-breaks-IPSEC/m-p/1527840#M105476

it all revolved around using any putting the IP in there it always worked.

JaredBusch

If you are willing to revert to firmware 1.7.0 and drop into command line one time for initial VPN setup, then you can use the dynamic DNS name in the Local IP field of the home router also.

Once this was setup it has not been touched since.

It does not work on firmware 1.8.0. I have not tested on the new 1.8.5rc1 at this point.

JaredBusch

FYI, that is my connection from my condo in Chicago to a client office in St Louis. A live and working IPSEC VPN tunnel that I use daily.

C:\Users\sorva>tracert -d 10.202.1.9

Tracing route to 10.202.1.9 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.254.103.1
  2     *        *        *     Request timed out.
  3    19 ms    19 ms    19 ms  10.202.1.9

Trace complete.

C:\Users\sorva>ping 10.202.1.9

Pinging 10.202.1.9 with 32 bytes of data:
Reply from 10.202.1.9: bytes=32 time=20ms TTL=62
Reply from 10.202.1.9: bytes=32 time=19ms TTL=62
Reply from 10.202.1.9: bytes=32 time=19ms TTL=62
Reply from 10.202.1.9: bytes=32 time=22ms TTL=62

Ping statistics for 10.202.1.9:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 22ms, Average = 20ms

C:\Users\sorva>

cakeis_not_alie

Following up on this thread, the above information worked. Removing the "any" and replacing with "the external IP of the box into which you are currently logged in" solved the problem.

Roar! It sucks that "any" is in literally every other piece of configuration information about site-to-site VPNs for Ubiquiti! Hat's off to Jared Busch for his knowledge of edge cases, and a case of beer owed for my salvation.

Cheers to all who helped.

JaredBusch

@cakeis_not_alie said in at cakeis not alie looking for Ubiquiti experience:

Following up on this thread, the above information worked. Removing the "any" and replacing with "the external IP of the box into which you are currently logged in" solved the problem.

Roar! It sucks that "any" is in literally every other piece of configuration information about site-to-site VPNs for Ubiquiti! Hat's off to Jared Busch for his knowledge of edge cases, and a case of beer owed for my salvation.

Cheers to all who helped.

IMO, firmware 1.8.0 is buggy as shit with IPSEC. There were a lot of posts on their forums about various issues back when it first released.

p.s. http://www.beermonthclub.com/join-or-give-a-gift-membership.htm