ER8411 FW 1.3.3 & 1.3.6 - ER605v2 FW 2.3.1 - VPN Passthrough on Windows / macOS not working
ER8411 Firmware 1.3.3, 1.3.5 and 1.3.6 & ER605 v2 Firmware 2.3.1 – VPN Passthrough issues
Testing began on a completely factory reset ER8411 running 1.3.6 – no configs. Not even the initial login user/password set, standalone mode.
Identical testing on ER605 v2 running 2.3.1 with the exact same results. Documenting ER8411 here.
Topology:
Modem <WAN 4> ER8411 <LAN 11> PC
No other devices on network
From the factory reset state.
IPSec Client to Site VPN connected successfully – Connected to VPN server on ER7206 at independant location - not an omada site, Client-To-Site mode, Target IP range 192.168.1.X
--- Success – can ping and access remote devices and GUIs ---
Now, Gateway will have its default LAN changed to match my omada site management vlan and adopted to controller with its proper IP
VPN is now reconnected – Remote range still 192.168.1.X
Ping to the remote gateway 192.168.1.1 is successful
CANNOT load the GUI for it, or for anything else on that network
All ACLs are disabled, there are no NAT rules
Disabling IDS/IPS – no change
Disabling All ER8411 VPNs – no change
I have attached a wireshark capturing VPN connection and then attempting to load web GUIs of devices over the VPN
Results replicated on ER605v2 FW 2.3.1 as well in an identical scenario
-ST
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Things get more bizzare!
I hooked up my factory reset 605 running 2.3.1, running it totally in standalone mode
Default MTU of 1500 - all VPNs work to Omada and Draytek Gateways (pure IPsec only VPNs though)
WAN MTU of 1352 - optimal for my ISP and was broken on ER8411 - all vpns work properly
Remote ER605 running 2.3.1 pure IPsec dial in VPNs - working on all WAN MTU
Remote ER605 running 2.3.1 L2TP VPNs - not working with any WAN MTU, at either end
I think we have 2 issues
ER605 2.3.1 - broken L2TP VPN MTU size
ER8411 1.3.3/1.3.6 - WAN MTU settings effect VPNs on clients
- Copy Link
- Report Inappropriate Content
Well, I'm a little confused here now, I'm behind a UX7 from Unifi, so it, like the ER8411 and ER605, can't connect, but I set up an L2TP server on an ER706w which also has an MTU of 1380. but I can connect to it, I can't connect to the ER707-M2 with an MTU of 1380. so I don't really understand what's going on.
I have disabled SD-WAN and all other VPNs on the routers I'm testing with.
I think I'll wait until you're done with your test :-)
but I think an MTU of 1400 would have been a better choice for the Omada routers L2TP Server
L2TP to a ER706W
- Copy Link
- Report Inappropriate Content
High strangeness indeed!
I think its safe to say that ER605 2.3.1 has a broken L2TP implementation though, definitely something wrong with it...
ER8411 has a Broken WAN MTU implementation since i dont see the same issue on ER605....
- Copy Link
- Report Inappropriate Content
I'm sure there is something. But for me it's not a problem. I stopped using L2TP many years ago, but it might be good to report our findings to the Omada team.
- Copy Link
- Report Inappropriate Content
There is another VPN issue specific to ER605 2.3.1
It is unreliable in re-establishing site-to-site IPSec VPN where it is the initiator.
We had an ISP issue today at main site causing loss of connection for several hours - after which both ER605v2 based remote sites failed to re-establish their outgoing VPN back to main sire and are now sat in "disconnected" state on controller and unreachabe as they havent established the tunnel again. One site i can manage, the other i will have to physically go to to reboot it
My ER8411 at home re-established its outgoing VPN to the main site just fine
All my Site-to-Site VPNs are configured with DPD and PFS key lifetime so should have detected the dead peer and kept trying. Didnt see this behavior prior to 2.3.1
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 365
Replies: 25
Voters 0
No one has voted for it yet.