VPN: hosts in remote LAN unreachable after update 1.2.3 -> 1.2 rolling

have a working VPN (L2TP over IPsec) with V 1.2.3 (roadwarrior -> VPN -> VyOS)

after updating to 1.2-rolling-201911170217 the tunnel comes up, no problem. but I can’t reach any hosts in the remote network anymore except VyOS itself.

Hi, did you try to see packets on VyOS remote interfaces? What about traceroute from L2TP client to some host in the remote network?

@mikeboss do you have any NAT rules?

thnx Dmitry!

I did not change the configuration after upgrading from 1.2.3 to VyOS 1.2-rolling-201911170217

roadwarrior -> VPN -> VyOS (192.168.1.1) -> host in remote LAN 192.168.1.150

TRACEROUTE

WORKING (VyOS 1.2.3):
traceroute to 192.168.1.150 (192.168.1.150), 64 hops max, 52 byte packets
1 10.255.255.0 (10.255.255.0) 18.203 ms 18.907 ms 20.145 ms
2 192.168.1.150 (192.168.1.150) 20.244 ms 17.990 ms 19.314 ms

NOT WORKING (VyOS 1.2-rolling-201911170217):
traceroute to 192.168.1.150 (192.168.1.150), 64 hops max, 52 byte packets
1 192.168.1.225 (192.168.1.225) 18.944 ms 19.773 ms 16.481 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *

so far, this is the only NAT rule:
set nat source rule 100 outbound-interface ‘eth1’
set nat source rule 100 source address ‘192.168.1.0/24’
set nat source rule 100 translation address ‘masquerade’

VPN configuration:
set vpn ipsec auto-update ‘30’
set vpn ipsec ipsec-interfaces interface ‘eth1’
set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
set vpn ipsec nat-traversal ‘enable’
set vpn l2tp remote-access authentication local-users username roadwarrior password ‘password’
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access authentication require ‘mschap-v2’
set vpn l2tp remote-access client-ip-pool start ‘192.168.1.225’
set vpn l2tp remote-access client-ip-pool stop ‘192.168.1.238’
set vpn l2tp remote-access dns-servers server-1 ‘192.168.1.1’
set vpn l2tp remote-access dns-servers server-2 ‘1.1.1.1’
set vpn l2tp remote-access idle ‘1800’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘sharedsecret’
set vpn l2tp remote-access ipsec-settings ike-lifetime ‘3600’
set vpn l2tp remote-access ipsec-settings lifetime ‘3600’
set vpn l2tp remote-access mtu ‘1400’
set vpn l2tp remote-access outside-address ‘WAN_IP_ADDRESS’

regards,
michael

Seems this behaviour with migration to accel-ppp which currently don’t support proxy-arp for l2tp connection type. As temporary solution, you can set different assigned ip address pool

set vpn l2tp remote-access client-ip-pool start 192.168.2.225
set vpn l2tp remote-access client-ip-pool stop192.168.2.238

UPD:/ Or you can also enable proxy-arp on interfaces (VyOS (192.168.1.1) -> host in remote LAN )

set interfaces ethernet eth2 ip enable-proxy-arp

THNX Dmitry!

enabling proxy arp on the IP of the LAN interface of the VyOS gateway did the trick.

setting the VPN client pool outside of the LAN’s subnet, on the other hand, did not work.

regards,
michael

Hm, if we set VPN client pool outside of the LAN’s subnet, it must works too. I tested it in our LAB.
If you want to know what wrong with first method, you need capture traffic on interface to 192.168.1.150.