So ive tried to learn how to setup StS ikev2 in different ways, but ive always hit a (same) wall in whatever way i try to get it to work.
The gist of it is that i cannot ping the remote of either side(i don’t mean the public ips), i have been successful in pinging and remoting to other subnet clients through, can never ping the the routers remote tunnel ips though
ive tried many things like turning the firewall completely off, for nat i left a general masquerade rule, i tried messing with different source nat configurations, changing the tunnel ip adrress interfaces around, ive generally left it on loopback on the server side and threw it around in the client side, making a loopback bridge on the client as well, and other things.
Yet never got it fully working, what might be the problem, is there some checkbox perhaps that messes with ipsec/ikev2 vpns?
ipsec policy source and destination addresses are static, and establishes. then when i try to make gre tunnel it seems to not connect.
With GRE inside IPSec, there can’t be any problem, for tunnelled traffic it’s simple standard routing.
There is common problem when you have plain IPSec without GRE and you try to ping anything on the other site from router. It won’t work by default, because router will not choose its internal address as source, so packets won’t match configured policy and won’t be sent to other site. Usually it’s not a problem, because the router doesn’t need to access anything on other site anyway. Possible solutions:
If you just want to ping something, you can manually set the right source address.
You can add srcnat rule for router’s packets to other site.
You can add route to other site’s subnet with pref-src=<router’s local address>.
I prefer the last one. It doesn’t matter where the route points to, it can be default gateway, empty bridge, anything. It’s not used anyway, because IPSec steals outgoing packets, encrypts them and then they use standard default gateway (or other route, if there’s some).
and vice versa on the other side
not my usual thing so could this be wrong?
i then pinged 192.168.99.1 with source 192.168.99.2 and vice versa, timeout.
then tracerouted 192.168.99.1 , went to the internet.
added source and it timed out
again all with firewall turned off
Maybe I did not make it clear enough, but if you have GRE, only the first paragraph is relevant. I missed GRE at first and only noticed it after I wrote explanation about the case without GRE, so I left it as extra info.
To elaborate on why GRE has to work, it’s really the simples thing there could be. You have GRE interface on one side with 192.168.99.1/? and on another with 192.168.99.2/?. It’s same subnet, it’s as if you directly connected two routers using ethernet cable and gave them these addresses. There’s no way how it can not work, unless there’s something extra that changes default behaviour. You should share a little bit more about your config, what extras you have? Mangle rules for routing, routing rules, …?
Thank you Sob for the routing tip, i tried the others(nat) but that usually made things work and it also made me notice this in the routing table far more than id have before, vpn or not.
For this problem though, i got it working by resetting the configuration remotely so ive unfortunately no idea what the actual problem was, were it a misconfiguration or a bug i’ve no idea.
Also for final clarification, i disabled all of the firewall besides the single general masquerade rule, no filters, no raw, no mangle, and the problem was not gre but the ikev2 connection.
I wouldn’t disable whole firewall, some filter rules are good to have. For example, you probably don’t want to allow everyone to try to guess your passwords. Or try to exploit a vulnerability in service running or router, if some happens to come up.
Yeah, it was temporary, to eliminate the possibility that the firewall would get in the way, a desperate measure as nothing helped, in the end not even that helped though.