@romo Your site-to-site VPN doesn't work either, correct? Are you sure none of the routers is behind a Carrier Grade NAT (CG-NAT)? Are they all public IPs you have on both ends? L2TP doesn't work if its server is behind a NAT.

When you use a policy based VPN you need to start passing some traffic through the tunnel to bring it up. Have you tried pinging a device on the other router's network tunnelled through the VPN?

What's the output of show log | match 'xl2tpd|pppd'?

@romo Have you defined ipsec interfaces with set vpn ipsec ipsec-interfaces interface eth[.]? I don't see it in your VPN config output. Also, If your static IP address gets issued by your ISP via PPPoE, you'll need to change the outside L2TP address to 0.0.0.0.

@romo I don't see ipsec match-ipsec set in your L2TP rule.

Do you also have WAN_IN firewall rules set up?

@romo Could you show your firewall rules in the config output, please?

@jaredbusch Jared, I was talking about @Romo's site-to-site VPN config. He has two tunnels and I suggested to use a route based VPN instead. I also asked if @Romo was using public IPs on both ends or not. Because if he's behind CG-NAT, the current config wouldn't work.

I believe you need to define another ESP and IKE group for the site-to-site Tunnel 2. Also, your remote L2TP pool overlaps with one of the existing interface's IP range. It might overlap with the existing DHCP lease or a static address on your 192.168.4.0/24 network. I would make the remote pool totally different.

Do you have static public IPs on both ends? If yes, I'd do route-based site-to-site VPN with VTI interfaces instead. It stays always on as long as there's network connectivity between the peers. No need to define multiple individual policies either.

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

Btw, is there anything agentless and free for Hyper-V or vSphere that can be used for scheduled VM backup? I had hopes for the free Unitrends but now they're shattered after this post.

Edit: Looks like the Unitrends' free offering for VMware is better but it's a topic for a different thread I guess:)

@scottalanmiller said in ZeroTier Virtual Adapter and SQL Express 2012 DB Troubles:

Depends how you look at it. You see them as being cheap. I see them as burning money because it's a big joke to show how much they can throw away. SQL Server is only chosen by the ultra rich with money to flaunt. Companies lacking money do IT well and run lean, companies that laugh in the face of profits because they have so much money that it's all just silly to them select outrageously overpriced products for no reason and run them on old worthless hardware... just because it's funny.

Their DB is relatively small (6 GB) and they're using free SQL Server Express with it, though. The whole thing should've really been open source and web-based, I agree.

Thanks @scottalanmiller and @bbigford. Not sure if they are willing to spend $$$ to do it right, though. OMG this SMB is so cheap, they're running this SQL DB on a 5 y.o. Dell tower server with no RAID and a consumer-grade HDD! They do have an internal IT guy but he has no business IT concepts whatsoever, he's more like an IT hobbyist with web design background.

I keep telling them they're wasting productivity with their disastrous IT. However, the main problem with many small organisations here is they don't see IT as an investment more like an inevitable expense. I believe that now a successful organisation regardless of its size is always built around a reliable and efficient IT infrastructure that serves them as operational backbone.