VPN IPSEC site to site issue

Vinam_Oil_Tools · January 25, 2023, 6:57pm

Hi Everyone,
I have Nethserver on 2 site such as: NS1 and NS2 with IPWAN on other site.
I configured VPN site to site using IPSec and It’s working. But, when I try to browsing any folder from NS1 to NS2 (access to share folder from File-server), It’s time out and display error.
I done some step as below:

I can ping any server from 2 site together.
Check on " Traffic between OpenVPN roadwarrior, OpenVPN tunnels and IPSec tunnels" from Firewall setting on 2 site.
Create CIDR and Rule to allow traffic for all vlan on 2 site.
Please help me find out reason why?
Many thanks!

Andy_Wismer · January 25, 2023, 7:12pm

Hi @Vinam_Oil_Tools

And welcome to the NethServer community…

Maybe you just forgot to add in the IPs of the “other” site in the NethServers “Trusted Networks” list. If a host is not on that list, it can’t access any shares…

Just add in the network or the other side into Trusted Networks, eg:

Network: 192.168.32.0
Subnetmask: 255.255.255.0
Comment: Name of other site or place…

My 2 cents
Andy

Vinam_Oil_Tools · January 26, 2023, 12:51am

Hi Andy,
It added into “Trusted Networks” list before.

Andy_Wismer · January 26, 2023, 1:04am

Hi @Vinam_Oil_Tools

Are you using LDAP or AD?

With AD, you probably can’t “browse”, what does work is eg using Windows Explorer to “map” a Network drive. Browsing may work in Win10 if SMB1 is installed…

You must use AD authentification from the “other” side.

AD-DOMAIN-2\Username

if you are connecting from DOMAIN-1…

My 2 cents
Andy

pike · January 26, 2023, 1:46am

And AFAIK there’s no “federation/forest” concept among NSDC/Domains. Or multi-subnet deployed environment.
@Andy_Wismer SMBv1 is not-so-good advice and you know it

Andy_Wismer · January 26, 2023, 2:19am

That’s why I suggest to Map a drive, not to browse…

Vinam_Oil_Tools · January 26, 2023, 6:19am

Hi Andy,
Yes, I want to map a network drive on site2 from site1. I tried to install smb1 on PC site1 and access file-server(Ubuntu server) on site2 but It’s not work. Something wrong?
I have 2 DC such as: DC1, NS1 on site1 and DC2, NS2 on site2.
Thanks!

pike · January 26, 2023, 7:27am

More input needed.
How did you introduce yourself? (username…)

Vinam_Oil_Tools · January 26, 2023, 10:01am

Hi Michael,
I’m Cong from VietNam. Our Company have new site so I need to configure VPN Site to Site. Because, we need to share document from HQ to new Site.
Can you give me some advise.

pike · January 26, 2023, 10:06am

I’m sorry I made not myself understand.

If you’re trying from DC1 user to connect to DC2 share, you should use a DC2 user for connect, because DC2 don’t know “who is” DC1 user.
So as login should be used DC2\DC2User…

Vinam_Oil_Tools · January 26, 2023, 11:23am

Hi Michael,
I’m try to connect to DC2 (with User/Pass Admin Domain) but I can’t mapping network drive as below picture.

Andy_Wismer · January 26, 2023, 1:24pm

Hi

On your screenshot, behind the formost window, but still visible, is the Option:

“Connect using different credentials”

If you don’t use that, you have no chance to connect, as your current credentials from DC1 are unknown on the other side.

The correct form is as shown.

DC2\username

Replace DC2 shown here with the domain name on DC2. Use a valid user/password, or the admin user / password (for DC2!).

→ NethServer’s AD does NOT support any Domain Trusts !!!

My 2 cents
Andy

Vinam_Oil_Tools · January 26, 2023, 2:27pm

Hi Andy,
I try to check on it and type user/password of Admin Domain DC2 but still not working.

pike · January 26, 2023, 2:47pm

Try with NSDC2IP\AD2USer

Vinam_Oil_Tools · January 26, 2023, 3:03pm

Hi Michael,
Still not working, same error

IP DC2: 192.168.x.x
IP DC1: 172.16.x.x
Because I’m new user. So I can’t upload more images.

pike · January 26, 2023, 3:09pm

From 172.16.x.x subnet can you ping 192.168.x.x subnet NSDC Ip address?

Vinam_Oil_Tools · January 27, 2023, 12:59am

Hi Michael,
Yes, I can ping any host on 192.168.x.x subnet. I want to share more picture as below.

Vinam_Oil_Tools · January 28, 2023, 1:57am

Hi All,
I think some rule isn’t correctly. When I try to change some rules as below, I can access some share folder with small file, folder size. With large file or folder size, I still not access.
Btw, I see the VPN traffic show: 0 Byte Sent, 0 byte Receive on yesterday. it show up today.

Andy_Wismer · January 28, 2023, 4:39am

Hi @Vinam_Oil_Tools

This is typically a symptom of wrong MTU set on some Network Interface (NIC). On LAN connections, 1500 is the correct value. Using DSL the value is usually lower, eg 1492 is a common value, but best ask your Provider (On both sides!).

What kiind of Internet do you have? (DSL, Cable, Fiber)
(Please for both sites…)

My 2 cents
Andy

Vinam_Oil_Tools · January 28, 2023, 6:13am

Hi Andy,
I checked on speedguide.net/analyser.php and MTU is difference on 2 sites.
MTU on site1: 1438
MTU on site2: 1492
MTU on LAN: 1500.
I’m using Fiber Cable on 2 site. What should I do for the next step?