RE: VPC VPN Connectivity Issues

[Jeremy Peterson]

So I'm still tracking this down.  Since the VR can get out to the world and the 
VM's can get to the world I'm still thinking its and issue with VPN clients 
connected to VR may be a ACL issue.

So below is from my mysql queries.

Here is my ACL ID 3 for Corey
SELECT * FROM cloud.network_acl;
3       Corey   8b4c3002-8773-428c-9536-582493b1a7f8    20      Corey   1

So I want to see everything where acl_id=3 and ok they are running some 
websites on the servers port 80 and 443 are open ingress where others are 
specific ip allowed in and then allowing out.
SELECT * FROM cloud.network_acl_item where acl_id=3;
5       0e107538-80ff-4666-b09a-30c54cde9693    3       80      80      Active  
tcp     2015-08-11 12:48:07                     Ingress 1       Allow   1
6       5fea9b0d-5aa5-47cd-a3d8-61ffd5c9f53b    3       443     443     Active  
tcp     2015-08-11 12:48:23                     Ingress 2       Allow   1
17      c7d83d09-f258-424d-9420-f172e5c9b144    3                       Active  
all     2015-08-28 14:14:09                     Egress  3       Allow   1
18      6d2ee38b-d072-4e86-b042-1bc0b8fc83d7    3                       Active  
all     2015-08-28 15:07:06                     Ingress 4       Allow   1
11      bdcfc67b-1e77-436f-93d3-a53fa133722f    3                       Active  
all     2015-08-19 14:41:19                     Ingress 5       Allow   1
19      2038c27e-4339-457c-868b-579ff556608c    3                       Active  
all     2015-08-28 16:21:39                     Egress  6       Allow   1
21      d3890db8-037e-45e7-9dbc-6d75940d74fd    3                       Active  
all     2015-08-28 16:38:44                     Ingress 7       Allow   1
14      c26ea73c-e86d-4987-8dae-fc7b62607578    3                       Active  
all     2015-08-26 18:25:27                     Ingress 8       Allow   1
15      ed568a95-fddb-44a2-b2dc-ba309f2c1e0a    3                       Active  
all     2015-08-27 13:58:20                     Ingress 9       Allow   1

Like I described below 5 &6 allow all ip's to connect to ports 80 & 443.  11 
allows my VPN networking 10.1.2.0/24 ingress.  14 was remote management to the 
servers allowed in. 15 allows my IPSec tunnel ingress. 17 allows all of my ip's 
egress. 18 was to get one of the VPN users into the system without VPN as he 
needed to do some work. 19 and 21 were added to allow VPN clients ingress and 
egress hoping something would stick to the wall
SELECT * FROM cloud.network_acl_item_cidrs;
5       5       0.0.0.0/0
6       6       0.0.0.0/0
11      11      10.1.2.0/24
14      14      #.#.#.#/30
15      15      192.168.71.0/24
17      17      0.0.0.0/0
18      18      #.#.#.#/32
19      19      10.1.2.0/24
21      21      10.1.2.0/24

And still.  When I VPN into the VPC VR and I set the TCP/IP Advanced options to 
Use default gateway on remote network. I cannot route past 10.1.2.1 if I try to 
tracert to the world 8.8.8.8
                
Jeremy

-----Original Message-----
From: Jeremy Peterson [mailto:jpeter...@acentek.net] 
Sent: Tuesday, September 1, 2015 2:19 PM
To: users@cloudstack.apache.org
Subject: Re: VPC VPN Connectivity Issues

So I have yet to see anyone respond to this.

I will be looking more into it tomorrow but if anyone has any suggestions that 
would be great.

Basically since the VPC network CIDR is 192.168.2.0/24 while the VPN network is 
10.1.2.0/24  I am having issues with using a split tunnel setup connecting to 
servers that are on the 192.168.2.0/24 network and then also connecting to a 
Site2Site IPSec tunnel network 192.168.71.0/24.

So I change it to a Full Tunnel and then they cannot route pass the VPC Gateway 
10.1.2.1 but then can ping 192.168.2.X servers and they can ping 192.168.71.X 
clients.

Jeremy
________________________________________
From: Jeremy Peterson <jpeter...@acentek.net>
Sent: Saturday, August 29, 2015 8:43 PM
To: users@cloudstack.apache.org
Subject: RE: VPC VPN Connectivity Issues

I have set firewall rules to allow 192.168.71.0/24 And 10.1.2.0/24. Still no 
Internet without split tunneling over vpn.

Jeremy

Sent from my Verizon Wireless 4G LTE smartphone


-------- Original message --------
From: Jeremy Peterson <jpeter...@acentek.net>
Date: 8/29/2015 10:00 AM (GMT-06:00)
To: users@cloudstack.apache.org
Subject: VPC VPN Connectivity Issues

I am not sure if this was asked or answered but googling has led me no where.


I am running cloudstack 4.5.0,  XenServer 6.5, Advanced networking w/ VLAN 
segmentation.


I have a VPC setup which i am using a IPSec tunnel back to a zywall firewall 
and a monowall firewall.


Monowall                    Cloustack VPC            zywall

192.168.1.0/24            192.168.2.0/24        192.168.71.0/24


Tunnels are setup in vpc for both locations and servers in cloudstack can 
connect to the world and connect to the monowall and zywall networks.


Everything is fine with that but when I have a remote user that needs to VPN 
into the cloudstack VPC is where i am thrown into a whirlwind of questions.


I setup a VPN connection on the VR for the VPC.

I setup username/password.


The user sets up the connection on his Mac OSX and using split tunnel can 
connect to the VPN.


My VPN network is 10.1.2.0/24


He receives a 10.1.2.3 ip address.


He is unable to ping the IPSec Tunnel gateways 192.168.1.1 and 192.168.71.1.


He can get to the world as his default gateway is his router.


I switched to push all traffic over the VPN to remove the split tunnel.


He is able to ping the 10.1.2.1 gateway on the VR


He is able to ping his gateway the VPC router 10.1.2.1.


He is able to ping the VPC network's gateway 192.168.2.1

He is unable to get to the world.  I try to ping google dns 8.8.8.8 and it 
doesnt' get past the VR 10.1.2.1 in traceroutes.

I am looking for help on this as i'm confused.  If I change him back to a split 
tunnel as that would be prefered why is the tunnel not annoucing all networks 
know to the VR.

I was able to recreate this issue on windows 8.1.

?Jeremy