Connecting 2 Sites / IP-Routes

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
s25a
Posts: 7
Joined: Sun Aug 21, 2022 12:04 pm

Connecting 2 Sites / IP-Routes

Post by s25a » Sun Aug 21, 2022 1:27 pm

Hi everyone,

I am new to Softether and already manged to get Clients connected to a VPN Server. Pretty straight forward.
Now I want to connect two sites and though reading the Tutorials on the Softether Page I did not managed to get this to work.

I have 2 sites configured.

Site1-LA
VPN Bridge installed on Windows PC
IP: 192.168.3.123
SUBNET: 255.255.255.0
Gateway: 192.168.3.1

Site2-SP
VPN Bridge installed on Windows PC
IP: 192.168.178.124
SUBNET: 255.255.255.0
Gateway: 192.168.178.1

Main-Side with VPN Server
IP: 10.0.35.101
SUBNET: 255.255.255.0
Gateway: 10.0.35.1

Both sides are successfully connected to the VPN Server on the main site. See screenshots attached.

- On each site the Local Bridge setting is done and a cascade connection is setup and working
- On server site all 3 virtual hubs are setup and also Local bridge are setup for the main site.

So far so good.

The subject is that site1-LA has access to site2-2 (and vice versa).
To test this it should be possible to ping the Gate at site2: 192.168.178.1 from PC at site1: 192.168.3.123

To do this - I understood that a Layer3 Switch on the Server is necessary and also routes - however Here I did not find the right settings.
Can someone help me here to setup this properly?

Thanks in Advance

S
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Connecting 2 Sites / IP-Routes

Post by solo » Sun Aug 21, 2022 2:35 pm


s25a
Posts: 7
Joined: Sun Aug 21, 2022 12:04 pm

Re: Connecting 2 Sites / IP-Routes

Post by s25a » Sun Aug 21, 2022 8:31 pm

Hi Solo,

thanks - I already tried these settings without success. Attached is the Screenshot of the Layer 3 Switch.
(At a first step I tried to route the traffic from Main site to site2)

I can ping the own Virtual IP (here from main site the 10.0.35.200) but that's it - the routing does not work (ping to 192.168.178.200)

Any idea where the issue is?

Thanks S
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Connecting 2 Sites / IP-Routes

Post by solo » Mon Aug 22, 2022 12:11 am

Incorrect, change it to:

Site1-LA
Gateway: 192.168.3.1 - on the router add static route:
ip route add 192.168.178.0/24 via 192.168.3.254
- if the router does not support static routes, add persistent static route to every PC which needs to cross-connect:
route -p add 192.168.178.0 mask 255.255.255.0 192.168.3.254

Site2-SP
Gateway: 192.168.178.1 - on the router add static route:
ip route add 192.168.3.0/24 via 192.168.178.254
- if the router does not support static routes, add persistent static route to every PC which needs to cross-connect:
route -p add 192.168.3.0 mask 255.255.255.0 192.168.178.254

"Main-Side" with VPN Server
"Main" L3 switch:
- stop it and delete everything you have entered already
- do not add anything to the routing table
- add virtual interface 192.168.3.254/Site1-LA
- add virtual interface 192.168.178.254/Site2-SP

s25a
Posts: 7
Joined: Sun Aug 21, 2022 12:04 pm

Re: Connecting 2 Sites / IP-Routes

Post by s25a » Mon Aug 22, 2022 8:46 am

Hi Solo,

first of all thank you very much for the detailed information. That seems all very logical for me.
It did work immediately however it is very unstable.

For all who want to do the same thing here is a step-by-step and also the result which shows that almost 50% of the pings are dropped.
To make it easier I have just setup 2 sites
1) Main site with the server and network 10.0.35.0/24
2) branch site Site2-SP with network 192.168.178.0/24

STEP 1: Install VPN-server (latest stable) on Main Site.
- Setup 2 virtual hubs (each for one site) and add virtual IPS to it. See screenshots attached
- Setup a local bridge between network adapter and the virtual hub-Main site
- Setup VPN User for the cascade connection of the bridge that is described in the next STEP
- HInt: VPN-Server side must have a IP and Open Port (in my case 443) so that the bridge can connect to
001.jpg
002.jpg
STEP 2: Install VPN-Bidge (also latest stable) on branch site
- Setup a local bridge between network adapter and the virtual hub bridge
- Setup cascade connection to the VPN Server
- Go Online and connect to VPN Server
br01.jpg
---> Test of connection in reply to this
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Connecting 2 Sites / IP-Routes

Post by solo » Mon Aug 22, 2022 9:23 am

s25a wrote:
Mon Aug 22, 2022 8:46 am
It did work immediately however it is very unstable.
...almost 50% of the pings are dropped.
Hello s25a, stability has nothing to do with L3 switch or routing - simply get better internet connections or control traffic overload there.

s25a
Posts: 7
Joined: Sun Aug 21, 2022 12:04 pm

Re: Connecting 2 Sites / IP-Routes

Post by s25a » Mon Aug 22, 2022 9:24 am

STEP 3: Test connection between sites. (AT a first step only with two computers to reduce complexity)
- PC1 with VPN-Server: Add route to branch with: route add 192.168.178.0 mask 255.255.255.0 10.0.35.200 metric 1
- PC2 with VPN-Bridge: Add route to Main-site with: route add 10.0.35.0 mask 255.255.255.0 192.168.178.200 metric 1
003.jpg
br02.jpg
Result: See screenshot about 50% of the packets are dropped.
2022-08-22 10_25_02.jpg
What is really strange:
When I connect from the branch via the VPN-Client (not the VPN-bridge) there is no single drop o a packet.
So I guess something in my setup is wrong. Any help is appreciated.

Thanks S
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Connecting 2 Sites / IP-Routes

Post by solo » Mon Aug 22, 2022 10:29 am

s25a wrote:
Mon Aug 22, 2022 9:24 am
When I connect from the branch via the VPN-Client (not the VPN-bridge) there is no single drop o a packet.
Did you read above? Note:
- your branch site is on a presumably mobile connection with asymmetric DL/UP
- pings to/from the site are subject to connection quality and other local traffic
- in this particular case, UP-capacity of the branch is critical

s25a
Posts: 7
Joined: Sun Aug 21, 2022 12:04 pm

Re: Connecting 2 Sites / IP-Routes

Post by s25a » Mon Aug 22, 2022 10:36 am

Hi Solo,

thanks again for your help.

The Main- Branch is on Fiber LWL.

I tested two connections for the branch.

1) Mobile connection (5G) (Down about 150Mbit / Up 50 Mbit) Latency about 30ms
2) VDSL100 connection from German Telekom (100Mbit Down /40 UP) no vectoring. Latency about 20ms

With both connection there is no issue when I connect via the VPN-Client from PC to the Main-Branch.
However as soon as I try with the VPN-Bridge (Same PC, same cabling) packets are dropped.

I fully understand that it is up to the internet connection however I think as long as the VPN-Client connection works the site-by-site Bridge connection should also work. Or is that a different type of connection?

Thanks S

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Connecting 2 Sites / IP-Routes

Post by solo » Mon Aug 22, 2022 11:17 am

Let's try a temporary diagnostic re-configuration.

Firstly, check if main/branch sites have perhaps SecureNAT enabled as this would mess up net in the current context.
If SecureNAT is enabled, disable it and re-test ping.
If SecureNAT is disabled, proceed as follows.
- on the SE server stop/disable L3 switch
- on the PC with SE server install also SE client (yes, you read it correctly)
- delete static route to Site2-SP (because you used "metric 1")
- on the newly installed vNIC set a static IP from the vacant range of Site2-SP, no def gateway
- from the newly installed client make a localhost connection to the Site2-SP's vHUB

You can now ping to/from the sites without L3 - what's the performance?

s25a
Posts: 7
Joined: Sun Aug 21, 2022 12:04 pm

Re: Connecting 2 Sites / IP-Routes

Post by s25a » Tue Aug 23, 2022 5:38 pm

Hi solo,

thanks again and sorry for the late reply.
SecureNAT was not enabled I checked all settings.

I proceed the steps you described and the ping goes to the PC on the branch side. Connection is VDSL.

See screenshot attached. No drops in the last 20 minutes.

Thanks A

EDIT: A ping from the branch to the main site does not work
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Connecting 2 Sites / IP-Routes

Post by solo » Tue Aug 23, 2022 11:45 pm

s25a wrote:
Tue Aug 23, 2022 5:38 pm
A ping from the branch to the main site does not work
Hi s25a, so ping from the branch to the main site, at 192.168.178.190, does not work? Bizarre but irrelevant as now we can compare pings from the main site to the branch, which are perfect via the localhost client and lossy on L3.

But why are you pinging a different target on the Site2-SP network and not using the same internet connection? Note...
L3 switch - 42% loss, ping 192.168.178.124 latency from 43ms to 1008ms
localhost - 0% loss, ping 192.168.178.102 latency 30ms +/-1ms

Clearly we're not comparing apples with apples. Do repeat the test multiple times with L3 on/off and client off/on in identical conditions and if, or when, you are absolutely sure that L3 is to blame then report the issue on https://github.com/SoftEtherVPN/SoftEtherVPN/issues
Later please update us here when you get a solution from the devs.

s25a
Posts: 7
Joined: Sun Aug 21, 2022 12:04 pm

Re: Connecting 2 Sites / IP-Routes

Post by s25a » Wed Aug 24, 2022 12:15 pm

Hi Solo,

thank you for your reply and support.
L3 switch - 42% loss, ping 192.168.178.124 latency from 43ms to 1008ms
localhost - 0% loss, ping 192.168.178.102 latency 30ms +/-1ms
Indeed, a bit confusing. However it is the same PC with a different IP-Address. Both test with same same connection.
But - as recommended I will do some extended testing before reaching out to the devs.

Thanks S

Post Reply