VERY unreliable layer2 cascade connection, help needed

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
GfEw
Posts: 5
Joined: Fri Oct 04, 2019 2:45 am

VERY unreliable layer2 cascade connection, help needed

Post by GfEw » Mon Oct 14, 2019 5:52 am

Hello dear softether expert folks,

I need to use a layer2 cascade connection between vpnserver instances at two distant linux hosts, as described in chapter 10.5 of the SE manual. Meanwhile, I have read and tried a lot, but still experience problems.

Here's the current layout:

Code: Select all

                                                                      
        [host A]                 [NAT router A]                       [NAT router B]            [host B]


                ,--------------  publicIP A:5555  <---(internet)----  publicIP B
                |
                |                                                     192.168.179.1   <~~~~  <wlp2s0>  192.168.179.20
                v  
192.168.2.240:5555 <eth0>  ====  192.168.2.1                                                 <enp0s25> 192.168.2.60
                     :           (DHCP server)                                                 :      
   (vpnserver A) (vhub A)                                                                    (vhub B)  (vpnserver B)
                     '. . . . . . . . . . . . . . . . . (VPN) . . . . . . . . . . . . . . . . .'
                                         
Notes
  • All devices run linux, so the windows GUI (VPN manager) is not an option.
  • I consciously use vpnserver (rather than vpnbridge or vpnclient) on both hosts, as future experiments will utilize vpnserver functionality on both sides.
  • The performance penalty of using the same NIC for plain and encapsulated traffic at host A is OK for the time being.
  • The wireless 'router B <~~~~ host B' link is shaky, but stable enough for an IPSEC layer3 VPN test connection (without softether) between router A and host B to work reasonably well.

Current status
Successful tests at host B:

Code: Select all

$ sudo dhclient enp0s25       # does receive an IP from the DHCP server
$ sudo arp-scan -I enp0s25 -l # does list devices physically located in lan segment A
Failing tests at host B:

Code: Select all

$ arping -I enp0s25 192.168.2.1 # yields only very rare replies (unlike from within lan segment A, where I get 100/100 replies)
$ ping 192.168.2.1              # yields only very rare replies (unlike through the alternative IPSEC Cisco layer3 VPN, where I get 100/100 replies)
$ wget -O- 192.168.2.1          # Connecting to 192.168.2.1:80... failed: No route to host (unlike with the IPSEC, where TCP just works).
# etc.
Apparently, the protocols IP, ICMP and TCP don't reliably pass the VPN link.

The routing table of host B looks fine to me:

Code: Select all

Kernel IP routing table # dropped some unrelated lines
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    MSS   Window irtt
0.0.0.0         192.168.179.1   0.0.0.0         UG    600    0        0 wlp2s0   0     0      0
192.168.2.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s2   0     0      0
192.168.179.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp2s0   0     0      0
Please, tell me: What am I doing wrong?

I am very grateful for every helpful hint or idea. Thank you!

GfEw
Posts: 5
Joined: Fri Oct 04, 2019 2:45 am

Re: VERY unreliable layer2 cascade connection, help needed

Post by GfEw » Tue Oct 15, 2019 2:31 am

There are some rare replies to arping and ping (see above)! Like, a couple in a thousand!

Apparently, it's not strictly a configuration but rather a VPN link stability issue!
  • Is SE VPN known to be affected by instable physical links *so* much more than e. g. IPSEC layer3 VPN?
  • If so, why?
  • Is there anything I can do to improve stability of softether layer 2 cascade connections over less-than-stable physical links?

darkrain
Posts: 2
Joined: Thu Jan 09, 2020 4:19 am

Re: VERY unreliable layer2 cascade connection, help needed

Post by darkrain » Thu Feb 27, 2020 6:11 am

need a gateway to connect both internal ip range

Post Reply