[SOLVED] Firmware bug + OpenVPN issue with site to site
Hi all!
I come back to communauty and support!
My config:
I have 2 ER7206 (same model)
LAN1 <-> Main site A [ER7206] <- internet -> remote site B [ER7206] <-> LAN2
Site A is an entry point for users with OpenVPN and admin (PPTP for my old Win7 or L2TP for W10 access)
Users connect to site using OpenVPN client (Win or Android) and can access the whole network (LAN1 and LAN2).
I had to update client conf in order to add route for LAN2 (the default client file is not enough)
=> On previous firmware, everything is OK
I have upgraded the firmware today from ER7206(UN)_V1_1.2.0 Build 20220117 to ER7206(UN)_V1_1.2.3 Build 20221104 and finally to ER7206(UN)_V1_1.3.0 Build 20230322
The good think of this firmware is that the bandwith between LAN1 and LAN2 has been improved : On a fiber link 1G/500M, I have measured a badnwith of 200Mbits and a good latency (<5ms) between the 2 sites (they are in the same city)
I have encoutered the same bugs with the 2 last firmwares!
How to reproduce bug 1?
- Site A or B: setup a L2TP access and enable it
- setup a site-to-site using IPSec between Site A and Site B (what ever the IP)
=> Log: WAN: Phase 2 of IKE negotiation failed Error=18
- disbale L2TP access and site-to-site is established within the minute. You can enable it after, connection is not broken. But in case of power outage, we can let others VPN enabled. It is not good.
Another user encountered the same See here
=> It was working with the previous firmware. I think it is a bug.
How to reproduce bug 2?
The second issue is related to OpenVPN a kind of the last issue See here
- setup a site-to-site using IPSec between Site A and Site B (what ever the IP)
- setup an OpenVPN access on Site A
- connect remotely using OpenVPN to Site A: try to ping GW @ Site B : nothing!
The ping is OK if connected by PPTP or L2TP
With the previous firmware, OpenVPN client need to have a additionnal route to access the other part of network, ie remote network.
For my case:
LAN1
But with the 2 last firmware, the OpenVPN client see only the local network attached to the access point, not the remote
OpenVPN client connection
|
LAN1 <-> Main site A [ER7206] <- internet -> remote site B [ER7206] <-> LAN2
=> Client see LAN1 but not LAN2
A trace route shows that no answer is given by Site A (despite a dedicated route is set: I have set manually the route in order to validate) and route is sent to internet from client
Normally, OpenVPN client must be considered as connected on LAN1 and naturally see all the subnets (local, local routed or remote)
I tried using :
- IP in LAN1 subnet
- IP in classical 10.8.0.0/24
- other subnets
=> Always the same result: LAN1 is reachable, LAN2 is not reachable whatever the OpenVPN client Win / Android
=> The issue is in the new firmware!
Does anyone see the same?
Or do I miss something? And what?
If I can access directly to the routeur by CLI, doc is welcome !
Thanks for reading.