Vyos failed to establish remote access vpn after configuring wan load balancing

Hello! I have a problem of getting connected to a remote access VPN after I configured a wan load balancing for my two IPS gateways. I need someone to assist me. Thanks!!!

Hello, please draw network map and provide your configs.

Hello Dmitry, I have configured a LAN with two ISPs using wan load balancing and one port for remote access VPN

Here below my configuration

For load balancing
set protocols static route 0.0.0.0/0 next-hop 196.29.168.5
set protocols static route 0.0.0.0/0 next-hop 192.168.0.2

set load-balancing wan interface-health eth1 failure-count 2
set load-balancing wan interface-health eth1 nexthop 196.29.168.5
set load-balancing wan interface-health eth1 test 10 type ping
set load-balancing wan interface-health eth1 test 10 target 8.8.8.8
set load-balancing wan interface-health eth1 test 20 type ping
set load-balancing wan interface-health eth1 test 20 target 4.2.2.2

set load-balancing wan interface-health eth2 failure-count 2
set load-balancing wan interface-health eth2 nexthop 192.168.0.2
set load-balancing wan interface-health eth2 test 10 type ping
set load-balancing wan interface-health eth2 test 10 target 8.8.8.8
set load-balancing wan interface-health eth2 test 20 type ping
set load-balancing wan interface-health eth2 test 20 target 4.2.2.2

set load-balancing wan rule 10 failover
set load-balancing wan rule 10 inbound-interface ‘eth0’
set load-balancing wan rule 10 interface eth1 weight 10
set load-balancing wan rule 10 interface eth2 weight 1

For VPN
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
edit vpn l2tp
set remote-access outside-address 196.29.168.6
set remote-access authentication mode local
set remote-access authentication local-users username bob password ‘secret’
set remote-access authentication local-users username tim password ‘secret’
set remote-access client-ip-pool start 192.168.1.249
set remote-access client-ip-pool stop 192.168.1.255
set remote-access dns-servers server-1 8.8.8.8
set remote-access ipsec-settings authentication mode pre-shared-secret
set remote-access ipsec-settings authentication pre-shared-secret secret
set remote-access ipsec-settings ike-lifetime 3600

For NAT
set nat source rule 100 outbound-interface eth1
set nat source rule 100 source address 192.168.1.0/24
set nat source rule 100 translation address masquerade

Hello @basfaw, can you provide also eth0 configuration, you have ipsec configured on eth0.

@basfaw, I think found reason. Of course WAN load balance don’t work in this case, because on inbound-interface ‘eth0’ traffic is encrypted. You need set l2tp0 interface as an example.

set load-balancing wan rule 10 inbound-interface ‘l2tp0’

Hi @Dmitry, Thanks for your response
My eth0 configuration is set like below

set interfaces ethernet eth0 address ‘192.168.1.2/24’
set interfaces ethernet eth0 description ‘LAN’

This interface is the link my vyos connected to my LAN

In regards to the setup of ‘l2tp0’ interface, Please explain it more. How can I set this up?

@basfaw

set load-balancing wan rule 10 inbound-interface l2tp0
or correct l2tp tunnel number.

Hi @Dmitry
Below here I copied the whole configuration of my vyos

set interfaces ethernet eth0 address ‘192.168.1.2/24’
set interfaces ethernet eth0 description ‘LAN’

set interfaces ethernet eth1 address ‘196.29.168.6/30’
set interfaces ethernet eth1 description ‘WAN’

set interfaces ethernet eth2 address ‘192.168.0.1/24’
set interfaces ethernet eth2 description ‘WAN’

set load-balancing wan interface-health eth1 failure-count ‘2’
set load-balancing wan interface-health eth1 nexthop ‘196.29.168.129’
set load-balancing wan interface-health eth1 test 10 target ‘8.8.8.8’
set load-balancing wan interface-health eth1 test 10 type ‘ping’
set load-balancing wan interface-health eth2 failure-count ‘2’
set load-balancing wan interface-health eth2 nexthop ‘192.168.0.2’
set load-balancing wan interface-health eth2 test 10 target ‘8.8.8.8’
set load-balancing wan interface-health eth2 test 10 type ‘ping’

set load-balancing wan rule 10 ‘failover’
set load-balancing wan rule 10 inbound-interface ‘eth0’
set load-balancing wan rule 10 interface eth1 weight ‘10’
set load-balancing wan rule 10 interface eth2 weight ‘1’

set nat destination rule 2 description ‘IPSEC TUNNELING PORT 500’
set nat destination rule 2 destination port ‘500’
set nat destination rule 2 inbound-interface ‘eth1’
set nat destination rule 2 log ‘enable’
set nat destination rule 2 protocol ‘tcp_udp’
set nat destination rule 2 translation port ‘500’

set nat destination rule 3 description ‘IPSEC TUNNELING PORT 4500’
set nat destination rule 3 destination port ‘4500’
set nat destination rule 3 inbound-interface ‘eth1’
set nat destination rule 3 log ‘enable’
set nat destination rule 3 protocol ‘tcp_udp’
set nat destination rule 3 translation port ‘4500’

set nat destination rule 4 description ‘VPN CLIENT TUNNELING PORT 1701’
set nat destination rule 4 destination port ‘1701’
set nat destination rule 4 inbound-interface ‘eth1’
set nat destination rule 4 log ‘enable’
set nat destination rule 4 protocol ‘tcp_udp’
set nat destination rule 4 translation port ‘1701’

set nat source rule 100 outbound-interface ‘eth1’
set nat source rule 100 source address ‘192.168.1.0/24’
set nat source rule 100 translation address ‘masquerade’

set protocols static route 0.0.0.0/0 next-hop ‘192.168.0.2’
set protocols static route 0.0.0.0/0 next-hop ‘196.29.168.5’

set service ssh port ‘22’

set system gateway-address ‘196.29.168.5’

set vpn ipsec ipsec-interfaces interface ‘eth1’
set vpn ipsec nat-networks allowed-network ‘0.0.0.0/0’
set vpn ipsec nat-traversal ‘enable’
set vpn l2tp remote-access authentication local-users username basfaw password ‘secret’
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access client-ip-pool start ‘192.168.1.249’
set vpn l2tp remote-access client-ip-pool stop ‘192.168.1.254’
set vpn l2tp remote-access description ‘CCJVPN’
set vpn l2tp remote-access dns-servers server-1 ‘196.29.182.242’
set vpn l2tp remote-access dns-servers server-2 ‘196.29.182.246’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘secret’
set vpn l2tp remote-access ipsec-settings ike-lifetime ‘3600’
set vpn l2tp remote-access mtu ‘1500’
set vpn l2tp remote-access outside-address ‘196.29.168.130’
set vpn l2tp remote-access outside-nexthop ‘196.29.168.129’

Hi @basfaw,

Did you try replace?

set load-balancing wan rule 10 inbound-interface ‘eth0’

to

set load-balancing wan rule 10 inbound-interface 'l2tp0'

You can also create multiple rules, e.g.

set load-balancing wan rule 10 failover
set load-balancing wan rule 10 inbound-interface 'l2tp0'
set load-balancing wan rule 10 interface eth0 weight '10'
set load-balancing wan rule 10 interface eth1 weight '1'
set load-balancing wan rule 10 protocol 'all'
set load-balancing wan rule 20 failover
set load-balancing wan rule 20 inbound-interface 'eth0'
set load-balancing wan rule 20 interface eth0 weight '10'
set load-balancing wan rule 20 interface eth1 weight '1'
set load-balancing wan rule 20 protocol 'all'

@Dmitry
I don’t have the interface name l2tp0, and it wont let me change it from eth0 to l2tp0 neither can’t create multiple rule

Which VyOS version are you using?
Look, at my LAB

vyos@vyos# run show wan-load-balance 
Interface:  eth0
  Status:  active
  Last Status Change:  Tue Nov 19 08:34:15 2019
  +Test:  ping  Target: 1.1.1.1
    Last Interface Success:  0s 
    Last Interface Failure:  20m38s     
    # Interface Failure(s):  0

Interface:  eth1
  Status:  active
  Last Status Change:  Tue Nov 19 08:30:27 2019
  +Test:  ping  Target: 8.8.8.8
    Last Interface Success:  0s 
    Last Interface Failure:  n/a                
    # Interface Failure(s):  0

[edit]
vyos@vyos# run show wan-load-balance status 
Chain WANLOADBALANCE_PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  569  180K ISP_eth0   all  --  l2tp0  *       0.0.0.0/0            0.0.0.0/0            state NEW
 6857 2270K CONNMARK   all  --  l2tp0  *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
   41  2460 ISP_eth0   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 CONNMARK   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore

@Dmitry

vyos@vyos# run sho version
Version: VyOS 1.1.7
Description: VyOS 1.1.7 (helium)
Copyright: 2016 VyOS maintainers and contributors
Built by: maintainers@vyos.net
Built on: Wed Feb 17 09:57:31 UTC 2016
Build ID: 1602170957-4459750
System type: x86 64-bit
Boot via: image
HW model: HP Compaq Pro 6300 MT
HW S/N: TRF2320BL6
HW UUID: 00577391-28D9-E111-BB9C-AC162D110675
Uptime: 10:57:40 up 11 days, 17:02, 2 users, load average: 0.02, 0.04, 0.05

The wan load balancing is perfectly working right now… my issue is on VPN. I cant be able to establish the remote access VPN. But when i remove the load balancing, the remote access VPN is working fine

1.1.X EOL. Try 1.2.3 or latest rolling.

@Dmitry

let me try this and get u back

By the way @Dmitry
‘eth0’ is inside interface. it is not involving in the VPN setup… What could encrypt the traffic on this interface???

Am asking this, you said earlier " Of course WAN load balance don’t work in this case, because on inbound-interface ‘eth0’ traffic is encrypted. You need set l2tp0 interface as an example."

Sorry I misunderstood schema. You have other problem. Did you see any messages in log when you connect to the router via l2tp?

Sorry @Dmitry, may be i am the one who made you misunderstood my schema

Anyways, here below I copied the log

#show log vpn l2tp
Nov 20 10:49:51 vyos xl2tpd[352]: Connection established to 41.223.160.137, 53103. Local: 40918, Remote: 9237 (ref=0/0). LNS session is ‘default’
Nov 20 10:49:54 vyos xl2tpd[352]: Call established with 41.223.160.137, Local: 52832, Remote: 15961, Serial: 1133549651
Nov 20 10:49:54 vyos pppd[28815]: pppd 2.4.4 started by root, uid 0
Nov 20 10:49:54 vyos zebra[2490]: interface ppp0 index 47 <POINTOPOINT,NOARP,MULTICAST> added.
Nov 20 10:49:54 vyos pppd[28815]: Connect: ppp0 <–> /dev/pts/1
Nov 20 10:50:04 vyos zebra[2490]: interface ppp0 mtu changed from 1500 to 1300
Nov 20 10:50:17 vyos pppd[28815]: Unsupported protocol ‘Compression Control Protocol’ (0x80fd) received
Nov 20 10:50:30 vyos pppd[28815]: last message repeated 2 times
Nov 20 10:50:30 vyos zebra[2490]: warning: PtP interface ppp0 with addr 10.255.255.0/32 needs a peer address
Nov 20 10:50:30 vyos zebra[2490]: interface index 47 was renamed from ppp0 to l2tp0
Nov 20 10:50:30 vyos ripd[2492]: interface delete ppp0 index 47 flags 0x1090 metric 1 mtu 1300
Nov 20 10:50:30 vyos ripngd[2494]: interface delete ppp0 index 47 flags 0x1090 metric 1 mtu 1300
Nov 20 10:50:30 vyos pppd[28815]: local IP address 10.255.255.0
Nov 20 10:50:30 vyos pppd[28815]: remote IP address 192.168.1.249
Nov 20 10:50:30 vyos pppd[28815]: local IP address 10.255.255.0
Nov 20 10:50:30 vyos pppd[28815]: remote IP address 192.168.1.249
Nov 20 10:50:52 vyos pppd[28815]: local IP address 10.255.255.0
Nov 20 10:50:52 vyos pppd[28815]: remote IP address 192.168.1.249
Nov 20 10:50:56 vyos pppd[28815]: local IP address 10.255.255.0
Nov 20 10:50:56 vyos pppd[28815]: remote IP address 192.168.1.249
Nov 20 10:50:59 vyos pppd[28815]: local IP address 10.255.255.0
Nov 20 10:50:59 vyos pppd[28815]: remote IP address 192.168.1.249
Nov 20 10:51:24 vyos pppd[28815]: local IP address 10.255.255.0
Nov 20 10:51:24 vyos pppd[28815]: remote IP address 192.168.1.249
Nov 20 10:51:56 vyos xl2tpd[352]: Maximum retries exceeded for tunnel 40918. Closing.
Nov 20 10:51:59 vyos pppd[28815]: Modem hangup
Nov 20 10:51:59 vyos pppd[28815]: Connection terminated: no multilink.

I tried reproduce this in my LAB, but it work correct on latest rolling. I propose first update, then provide logs if this issue appears.