VERY unreliable layer2 cascade connection, help needed
Posted: Mon Oct 14, 2019 5:52 am
Hello dear softether expert folks,
I need to use a layer2 cascade connection between vpnserver instances at two distant linux hosts, as described in chapter 10.5 of the SE manual. Meanwhile, I have read and tried a lot, but still experience problems.
Here's the current layout:
Notes
Current status
Failing tests at host B:Apparently, the protocols IP, ICMP and TCP don't reliably pass the VPN link.
The routing table of host B looks fine to me:
Please, tell me: What am I doing wrong?
I am very grateful for every helpful hint or idea. Thank you!
I need to use a layer2 cascade connection between vpnserver instances at two distant linux hosts, as described in chapter 10.5 of the SE manual. Meanwhile, I have read and tried a lot, but still experience problems.
Here's the current layout:
Code: Select all
[host A] [NAT router A] [NAT router B] [host B]
,-------------- publicIP A:5555 <---(internet)---- publicIP B
|
| 192.168.179.1 <~~~~ <wlp2s0> 192.168.179.20
v
192.168.2.240:5555 <eth0> ==== 192.168.2.1 <enp0s25> 192.168.2.60
: (DHCP server) :
(vpnserver A) (vhub A) (vhub B) (vpnserver B)
'. . . . . . . . . . . . . . . . . (VPN) . . . . . . . . . . . . . . . . .'
- All devices run linux, so the windows GUI (VPN manager) is not an option.
- I consciously use vpnserver (rather than vpnbridge or vpnclient) on both hosts, as future experiments will utilize vpnserver functionality on both sides.
- The performance penalty of using the same NIC for plain and encapsulated traffic at host A is OK for the time being.
- The wireless 'router B <~~~~ host B' link is shaky, but stable enough for an IPSEC layer3 VPN test connection (without softether) between router A and host B to work reasonably well.
Current status
- I managed to get through 10.5.8 Configuring Cascade Connections, i. e. the cascade connection is established.
- However, I'm struggling at 10.5.9 [...] Performing a Communication Test. Most protocol tests fail.
Code: Select all
$ sudo dhclient enp0s25 # does receive an IP from the DHCP server
$ sudo arp-scan -I enp0s25 -l # does list devices physically located in lan segment A
Code: Select all
$ arping -I enp0s25 192.168.2.1 # yields only very rare replies (unlike from within lan segment A, where I get 100/100 replies)
$ ping 192.168.2.1 # yields only very rare replies (unlike through the alternative IPSEC Cisco layer3 VPN, where I get 100/100 replies)
$ wget -O- 192.168.2.1 # Connecting to 192.168.2.1:80... failed: No route to host (unlike with the IPSEC, where TCP just works).
# etc.
The routing table of host B looks fine to me:
Code: Select all
Kernel IP routing table # dropped some unrelated lines
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
0.0.0.0 192.168.179.1 0.0.0.0 UG 600 0 0 wlp2s0 0 0 0
192.168.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s2 0 0 0
192.168.179.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0 0 0 0
I am very grateful for every helpful hint or idea. Thank you!