PepVPN site to site routing issue

Product Discussion Peplink Balance
1

I can set up PepVPN where the Remote Peplink router successfully attached to the Primary Router when the Primary PepVPN Profile is set to NAT Mode. The subnet of my Primary site is 192.168.5.0/24 with 255.255.255.0 mask. The Remote site (LAN 192.168.2.0/24) machines can access various servers and services on the 192.168.5.0/24 Primary network. For example ‘ssh [email protected]’ works fine. Of course in this mode I can not reverse access the remote services from the Primary site. For example ‘ssh [email protected]’ doesn’t work. Which is expected.

2-255-mask.png
2-255-mask.png787×551 22.8 KB

It is my understanding that to get both sites to see routes to each other, I should set the "Remote IP Address’ on both the Primary and Remote site PEPvpn settings to point at each other. (In other words, turn off NAT on the Primary side PepVPN and instead point it to the IP of the remote.)

pep-vpn-profile.png
pep-vpn-profile.png849×190 20.2 KB

However, when I do so, neither side seems to be able to find routes to each other anymore. I have placed the Public IP address as well as the LAN addresses into the Firewall as ALLOW on both sides and even temporarily set ALLOW ANY as the default.

inbound-rule.png
inbound-rule.png876×123 18.3 KB

That didn’t seem to make a difference either. Doing something like ‘ssh [email protected]’ or ‘ssh [email protected]’ from opposite sides fails with ‘no route found’ errors.

I check the PepVPN status and can see that each is connected respectively to the other at 192.168.5.0/24 and 2.0/24 respectively.

link-status.png
link-status.png833×431 49 KB

I can also test the PepVPN connections on both ends and can see traffic moving on each test. (one test shown below. Other similar results)

connection-test.png
connection-test.png836×578 65.2 KB

For completeness here’s what OSPF & RIPv2 show on each end respectively:
opfs-combined.png

I feel like I’m missing some simple step to make this work. (Particularly since the Dashboard show the connection as Established and the Status tests do show traffic flowing between the links.)

What do I need to do so that each side can access services and see routes to the other end via that ends LAN subnet and vice-versa? (from machines on 5.0/24 see and access routes/services on 2.0/24 and from 2.0/24 see and access routes and services to 5.0/24)

2

It Generally looks good, but this:

Is not required… the remote IP address is how the 2 pepVPN peers find each other. Only one is required, but two is fine, just not required.

Yes, PEPvpn NAT should be off completely on all sides.

On the firewall part the “inbound” rules are not for VPN traffic… VPN is under the Internal Network… So that needs to be allowed.

At this time I would try and figure out which way the packets are flowing… A to B but not B to A?. with a tcpdump at each end. You have the routes, but have probably configured something that we aren’t seeing.

You also state this:

Who generates the no route found?.. find that in your tcpdump. The end server uses a default route, , peplink A has routes to PeplinkB, so who is generating the no route found?

3

Thanks Paul for your assistance.

Ultimately it was an subnet mask issue. While I had set the LAN MASK to 255.255.255.0/24, most of our machines had been previously manually set to 255.255.248.0/24, this overlapped the .5.0/24 and 2.0/24 ranges on opposite ends of the PepVPN connections. Once machines on both ends were correctly set to not overlap their opposite end, it works.

Thank you for your help.