File copy problems in only 1 direction through IPSec inter-site VPN

filesipsecsite-to-site-vpn

i've a rather strange problem with 2 sites linked by an IPSec inter-site VPN and file transfert from a site to another.

SYNOPSYS (tl;dr) : File transfert via smb/ftp/whatever through ipsec tunnel between both sites works in a direction and not in the opposite; HALP

Complete version :

I have 2 sites, let's name them LUX and TLS, connected through an intersite VPN. Each site has a 100Mb fiber connection. At both ends are 2 Cisco RV320. I've configured an IPSec VPN between these sites, DH level 2, 3DES/SHA1 encryption.

Both sites can ping each other. I can perfectly join my servers via RDP from TLS to LUX and from LUX to TLS. I can browse the network shares that are in TLS from LUX, idem in the other way.

At this point, everything looks perfect.

Let's get in the tricky part.

If i try to copy a file from TLS to LUX, from a network share located in TLS, i have no problem, the file is copied perfectly. If i try to get a file located on a ftp in TLS from LUX (different machine than the one with the net shares), everything works fine too.

Resumé : file transfert TLS–> LUX everything OK

BUT §§

If i try to copy a file from LUX to the share located in TLS, from any machine from LUX, it fails…
If i try to upload a file to the ftp located in TLS (the same that is working when i download), it fails too.
I wanted to install a new AD DC in TLS as a new site connected to LUX, everything went fine until the moment of retrieving the AD database from LUX to TLS.
I get a recording error when i try to save a document opened in LUX from a share located in TLS too.

I tried to bypass the intersite VPN by connecting through a client-server PPTP VPN from my machine in LUX to a server in TLS, everything wentfine, i was able to copy files from LUX to TLS…

Résumé : file transfert LUX–>TLS NOT OK

I suspect the IPSec VPN to be the problem, i checked the MTU, it's set at 1500 and checked it on http://www.letmecheck.it/mtu-test.php and everything is fine.

May i get your help please cause i have lost almost a day on this problem and i won't have a hair left on my day at the end of this day 😀

Best Answer

I answer myself and hope it'll help someone someday.

Rule n°1 : to check your MTU, this site http://www.letmecheck.it/mtu-test.php ain't worth a good "ping -f 1500 hostip".

Rule n°2 : when performing a test to find the good MTU, remember to ping a host located at the other side of the tunnel and not only a website like google or fb :o

Rule n°3 : always remember the bytes taken by the protocol of encapsulation (here IPSec :o)

Long story short, my problem was a MTU problem on the TLS site, i had to put a value of 1410 to solve the issue.

Related Solutions

IPsec VPN – How to Configure ipsec.conf Files for Site-to-Site VPN

My word, you do have your work cut out. OK; here's a sort of outline primer, because at the moment you've got the fundamentals so wrong that the details don't matter.

Before anything else, the fact that you haven't got static public addresses for each of your internet connections is a problem. IPSec doesn't easily support tunnels in such configurations [1], so you're going to end up editing your ipsec.conf each time either of your addresses changes. OK?

Now, when I asked you if each OpenSWAN endpoint had a public IP address, and you confidently said "yes", it turns out - as I suspected - that you were wrong. Your ifconfig output shows me that one end has the address 192.168.1.78 and the other has the address 10.0.2.15. You also tell me that one end is (currently) behind the public IP address 212.251.112.115 and the other is behind 79.103.7.114. You don't say which is which, so I'll assume 192.168.1.78 is behind 212.251.112.115 and 10.0.2.15 is behind 79.103.7.114. If that's wrong, just reverse the correspondence. I'll also call the former pair left and the latter pair right. It makes no difference which is which, but it'll help us keep our thinking straight, which'd be a really good idea right about now.

You'll need to set up the public routers at both ends to forward UDP/500 and protocols 50 and 51 (just for completeness) to the OpenSWAN endpoints inside each public address. If you can't manage the two protocol punchthroughs, then investigate the doco on NAT traversal and forward UDP/4500 as well.

Firstly, it is a requirement that each end find its own IP address in the config, so that each end can know which of left and right it is when it starts. So left needs to have an ipsec.conf that contains

conn net-to-net  
    authby=secret
    left=192.168.1.78
    leftsubnet=192.168.1.0/24
    leftnexthop=%defaultroute
    right=79.103.7.114
    rightsubnet=10.0.2.0/24

and an ipsec.secrets that says

192.168.1.78 79.103.7.114: PSK "123"

while right must have an ipsec.conf that contains

conn net-to-net  
    authby=secret
    left=212.251.112.115
    leftsubnet=192.168.1.0/24
    right=10.0.2.15
    rightsubnet=10.0.2.0/24 
    rightnexthop=%defaultroute

and an ipsec.secrets that says

10.0.2.15 212.251.112.115: PSK "123"

Each end really needs to know who it really is, whilst it can pretend that it doesn't care that the remote end is behind a NAT. Do you see?

Furthermore, you'll need to config all the clients on each end so that they have a route to the remote RFC1918 network via the local OpenSWAN endpoint. You'll need to check that /proc/sys/net/ipv4/ip_forward is set to 1 on each endpoint. And it would be a really good idea to turn off any firewalling on the two endpoints, at least for now. You may also need to activate some config variables that tell each endpoint not to care that the remote endpoint thinks it has a different IP address from what the local endpoint thinks it has; from memory, these are leftid= and rightid=, but you're going to have to work that out for yourself.

So that's the basics. If you get the fundamental topology and concepts right, the rest is just debugging the details. Good luck with this.

[1] This isn't quite true. The SWAN implementations support opportunistic IPSec encryption, but this requires that you control your reverse DNS at both ends, and I'm guessing that you don't. Again, read the man pages if you want to know more about this.

IPSec Site-to-site VPN speed between Germany and China very poor

The speed/throughput may be some external factor, as EEAA mentions. But in general, when I've needed to provide remote access across long distance links (Chicago-Hong Kong or London-Seoul), RDP was not an option. Latency kills you at those distances...

Do you have the option to use something that's a bit better with high-latency long-distance links? Citrix (of course) and Ericom Blaze (and RDP accelerator) come to mind, as they fare much better in the conditions you describe.

Best Answer

Related Solutions

IPsec VPN – How to Configure ipsec.conf Files for Site-to-Site VPN

IPSec Site-to-site VPN speed between Germany and China very poor

Related Topic