So I'm still tracking this down. Since the VR can get out to the world and the
VM's can get to the world I'm still thinking its and issue with VPN clients
connected to VR may be a ACL issue.
So below is from my mysql queries.
Here is my ACL ID 3 for Corey
SELECT * FROM cloud.network_acl;
3 Corey 8b4c3002-8773-428c-9536-582493b1a7f8 20 Corey 1
So I want to see everything where acl_id=3 and ok they are running some
websites on the servers port 80 and 443 are open ingress where others are
specific ip allowed in and then allowing out.
SELECT * FROM cloud.network_acl_item where acl_id=3;
5 0e107538-80ff-4666-b09a-30c54cde9693 3 80 80 Active
tcp 2015-08-11 12:48:07 Ingress 1 Allow 1
6 5fea9b0d-5aa5-47cd-a3d8-61ffd5c9f53b 3 443 443 Active
tcp 2015-08-11 12:48:23 Ingress 2 Allow 1
17 c7d83d09-f258-424d-9420-f172e5c9b144 3 Active
all 2015-08-28 14:14:09 Egress 3 Allow 1
18 6d2ee38b-d072-4e86-b042-1bc0b8fc83d7 3 Active
all 2015-08-28 15:07:06 Ingress 4 Allow 1
11 bdcfc67b-1e77-436f-93d3-a53fa133722f 3 Active
all 2015-08-19 14:41:19 Ingress 5 Allow 1
19 2038c27e-4339-457c-868b-579ff556608c 3 Active
all 2015-08-28 16:21:39 Egress 6 Allow 1
21 d3890db8-037e-45e7-9dbc-6d75940d74fd 3 Active
all 2015-08-28 16:38:44 Ingress 7 Allow 1
14 c26ea73c-e86d-4987-8dae-fc7b62607578 3 Active
all 2015-08-26 18:25:27 Ingress 8 Allow 1
15 ed568a95-fddb-44a2-b2dc-ba309f2c1e0a 3 Active
all 2015-08-27 13:58:20 Ingress 9 Allow 1
Like I described below 5 &6 allow all ip's to connect to ports 80 & 443. 11
allows my VPN networking 10.1.2.0/24 ingress. 14 was remote management to the
servers allowed in. 15 allows my IPSec tunnel ingress. 17 allows all of my ip's
egress. 18 was to get one of the VPN users into the system without VPN as he
needed to do some work. 19 and 21 were added to allow VPN clients ingress and
egress hoping something would stick to the wall
SELECT * FROM cloud.network_acl_item_cidrs;
5 5 0.0.0.0/0
6 6 0.0.0.0/0
11 11 10.1.2.0/24
14 14 #.#.#.#/30
15 15 192.168.71.0/24
17 17 0.0.0.0/0
18 18 #.#.#.#/32
19 19 10.1.2.0/24
21 21 10.1.2.0/24
And still. When I VPN into the VPC VR and I set the TCP/IP Advanced options to
Use default gateway on remote network. I cannot route past 10.1.2.1 if I try to
tracert to the world 8.8.8.8
Jeremy
-----Original Message-----
From: Jeremy Peterson [mailto:[email protected]]
Sent: Tuesday, September 1, 2015 2:19 PM
To: [email protected]
Subject: Re: VPC VPN Connectivity Issues
So I have yet to see anyone respond to this.
I will be looking more into it tomorrow but if anyone has any suggestions that
would be great.
Basically since the VPC network CIDR is 192.168.2.0/24 while the VPN network is
10.1.2.0/24 I am having issues with using a split tunnel setup connecting to
servers that are on the 192.168.2.0/24 network and then also connecting to a
Site2Site IPSec tunnel network 192.168.71.0/24.
So I change it to a Full Tunnel and then they cannot route pass the VPC Gateway
10.1.2.1 but then can ping 192.168.2.X servers and they can ping 192.168.71.X
clients.
Jeremy
________________________________________
From: Jeremy Peterson <[email protected]>
Sent: Saturday, August 29, 2015 8:43 PM
To: [email protected]
Subject: RE: VPC VPN Connectivity Issues
I have set firewall rules to allow 192.168.71.0/24 And 10.1.2.0/24. Still no
Internet without split tunneling over vpn.
Jeremy
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message --------
From: Jeremy Peterson <[email protected]>
Date: 8/29/2015 10:00 AM (GMT-06:00)
To: [email protected]
Subject: VPC VPN Connectivity Issues
I am not sure if this was asked or answered but googling has led me no where.
I am running cloudstack 4.5.0, XenServer 6.5, Advanced networking w/ VLAN
segmentation.
I have a VPC setup which i am using a IPSec tunnel back to a zywall firewall
and a monowall firewall.
Monowall Cloustack VPC zywall
192.168.1.0/24 192.168.2.0/24 192.168.71.0/24
Tunnels are setup in vpc for both locations and servers in cloudstack can
connect to the world and connect to the monowall and zywall networks.
Everything is fine with that but when I have a remote user that needs to VPN
into the cloudstack VPC is where i am thrown into a whirlwind of questions.
I setup a VPN connection on the VR for the VPC.
I setup username/password.
The user sets up the connection on his Mac OSX and using split tunnel can
connect to the VPN.
My VPN network is 10.1.2.0/24
He receives a 10.1.2.3 ip address.
He is unable to ping the IPSec Tunnel gateways 192.168.1.1 and 192.168.71.1.
He can get to the world as his default gateway is his router.
I switched to push all traffic over the VPN to remove the split tunnel.
He is able to ping the 10.1.2.1 gateway on the VR
He is able to ping his gateway the VPC router 10.1.2.1.
He is able to ping the VPC network's gateway 192.168.2.1
He is unable to get to the world. I try to ping google dns 8.8.8.8 and it
doesnt' get past the VR 10.1.2.1 in traceroutes.
I am looking for help on this as i'm confused. If I change him back to a split
tunnel as that would be prefered why is the tunnel not annoucing all networks
know to the VR.
I was able to recreate this issue on windows 8.1.
?Jeremy
