Balance 30 to Balance 30 VPN

fluffy12 · September 9, 2015, 7:58am

We’re trying to connect a Balance 30 to a 2nd Balance 30 with a point-to-point link. The link cycles between starting and creating tunnel, but is never successful. Both units show as on-line from InControl2. The first question that comes to mind is if this a supported configuration, since establishing a VPN is supposed to be easy. The units are both running firmware 6.2.2.

Regards,
Fluffy12

TK_Liew · September 9, 2015, 11:39am

Hi,

Please refer here for the SpeedFusion configuration.

Please ensure either site has public IP. ensure no blocking for ports TCP 32015 and UDP 4500 between these 2 sites.

Kat_FM · September 9, 2015, 10:29pm

I’m not fluffy12, but I thought that Balance 30s didn’t support SpeedFusion?

Fluffy12, are you trying to use PepVPN, IPsec VPN, or some other configuration? We’ve had a similar issue in the past, we did have to have static public IPs for both sides of the tunnel using IPsec VPN.

Tim_S · September 10, 2015, 1:08am

The Balance 30 supports PepVPN and at least one side needs a static IP or valid DDNS. Also, make sure that the networks are unique on both ends (they both cannot be 192.168.1.0/24 for example).

fluffy12 · September 10, 2015, 9:33am

We’re trying just PepVPN. We’re to the point where we have one static IP at the remote office and two static IPs plus a DynDNS at the main office. There are indications of some level of communications between the Balance 30s because if one of the remote ids is wrong then the initialization sequence doesn’t make it past “starting”. If we mess with NAT at the WAN level and change it to “IP forwarding” then we don’t get past the “authenticating”. It seems like the “creating tunnels” is timing out/failing, because it then cycles back to “starting”.

We deleted the InControl2 setup and created the links like the referenced document suggested. The behavior was the same - the tunnels didn’t get created.

The main office lines has nothing between the WAN lines and the carrier. The remote office is behind a DSL modem but the PepLink is in a DMZ. No firewall settings are on either PepLink - everything is "allow’. We tried forwarding the two ports (TCP port 32015 and UDP port 4500) to local host (127.0.0.1), but have removed that. Nothing we’ve seen suggests any additional firewall/forwarding changes need to be made for a PepVPN, but it was worth a try.

Regards,
Fluffy12

fluffy12 · September 10, 2015, 9:42am

Just to clarify, both ends have public static IPs or public DynDNS IP. The LANs are 10.10.X.X at the main office and 192.168.20.X at the remote office.

Regular internet traffic is going in/out of the Balance 30 at the main office just fine. No internet traffic goes in/out of the remote office Balance 30 because that traffic gets routed separately. Ping/Trace Route from the Balance 30s between the sites is successful.

There is no information about the connection attempts in the Balance 30 logs.

Regards,
Fluffy12

WeiMing · September 10, 2015, 12:42pm

Hi Fluffy12,

We have a video guide for setting up PepVPN/SpeedFusion, although it was prepared in earlier firmware version.

Just to take note the UI wordings changed for below parameters, others remained the same:

Network > Site-to-Site VPN -> Network > PepVPN / SpeedFusion
Network > Site-to-Site VPN > VPN Settings > Peer Serial Number -> Network PepVPN / SpeedFusion > PepVPN Profile > Remote ID

You may ignore the later portion of the video, where it touches WAN Connection Priority, as this setting only apply to SpeedFusion (not PepVPN).

Hope this will helps.

Alternatively, you may contact the reseller where you purchased the units, so they could help you on this task.

Thanks and regards.

fluffy12 · September 12, 2015, 10:03am

We did the same as the video - basically the same instructions as the link. After making adjustments for the UI changes, we still had the same behavior about the “creating tunnels” never completing. We tried only establishing the link from one side, and only using one of the three WAN connections on the main office side. Still no link gets established successfully.

I guess I have to ask again if a Balance 30 to Balance 30 PepVPN works with firmware 6.2.2. Has anyone actually tried this configuration and had success?

Regards,
Fluffy12

TK_Liew · September 13, 2015, 3:34pm

Hi,

PepVPN between 2 B30 definately will work. Please provide screen shots below:-

Status of WAN interfaces of both units - Navigate to Dashboard.
PepVPN settings of both units - Network > PepVPN > Select PepVPN profile.

fluffy12 · September 14, 2015, 10:40am

Here are the screen shots. We’ve tried various versions of the remote names, but that didn’t change the behavior other than the link negotiation giving up earlier if the names were wrong.

Regards,
Fluffy12

TK_Liew · September 14, 2015, 11:21am

Hi Fluffy12,

This is strange. Your settings are correct.

Can you verify both units configured as Layer 3 PepVPN? You can verify this via Network > PepVPN > Profile (you will not see Layer 2 if both units also configured as Layer 3 PepVPN).

fluffy12 · September 14, 2015, 1:40pm

Indeed, one of the units is set to layer 2. I see no way to change that. Any ideas how to get it back to a layer 3 routing configuration? Incontrol has a setting, but the current config is through local control.

Regards,
Fluffy12

TK_Liew · September 14, 2015, 8:23pm

Hi Fluffy12,

I see. PepVPN can’t establish due to 1 side configured as Layer 2 PepVPN however the other configured as Layer 3 PepVPN. Please follow steps below to disable Layer 2 PepVPN.

Network > LAN > Layer 2 PepVPN Bridging > PepVPN Profiles to Bridge = Choose “-----”.

fluffy12 · September 14, 2015, 10:20pm

Wow! Success! That finally did it. This probably got set via InControl2 at some point. Much thanks.

Regards,
Fluffy12