Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    May 2018
    Posts
    6

    Default Untangle to ubiquity USG site-to-site only one side working

    Hi,

    I've configured IPSec from one site to another and it's only working on one side.

    From the ubiquity USG, I can ping my 192.168.1.1 network just fine, which is hosted at my untangle site.
    From my untangle site, I can't ping my 192.168.2.1 network for some reason. If I perform a tracert to my USG site, the route stops at my untangle server. I guess it doesn't leave my network?

    I had to mess around with a lot of configuration to get this working, but I can't find why one side is working, and the other doesn't.

    I can post my entire configurations but I'm looking for troubleshooting ideas as to why one side works, and the other doesn't.

  2. #2
    Newbie
    Join Date
    May 2018
    Posts
    6

    Default

    Well, after much troubleshooting I found out the issue was actually on the ubiquity USG. It states that the USG will add all the rules for IPSec to work, but I guess it's not.

    In my WAN LOCAL rules, I had to add a rule to accept.
    Enabled: ON
    Before predefined rules
    Action: Accept
    IPv4 Protocol: ALL (which I'll probably change to 500 UDP)
    Source type: Address / Port Group
    IPv4 Address Group: IPSec remote
    port group: any
    Destination tytpe: address/Port group
    IPv4: any
    port group: any

    Can an admin please add [SOLVED] to this thread?

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,170

    Default

    Thanks for the update. I'm sure this will help others.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Newbie
    Join Date
    May 2018
    Posts
    6

    Default

    Thanks jcoffin. The tunnel is pretty flaky as it sometimes work, sometimes is just disconnects for no reasons. I'll post more updates if I find the culprit :P

  5. #5
    Newbie
    Join Date
    May 2018
    Posts
    6

    Default

    just before it disconnected, I was able to capture this:

    Code:
    Oct  2 20:12:24 14[IKE] <peer-UNTANGLE-IP-tunnel-0|2> closing expired CHILD_SA peer-UNTANGLE-IP-tunnel-0{1} with SPIs c6db
    3b7a_i cdf3bb01_o and TS 192.168.2.0/24 === 192.168.1.0/24
    Oct  2 20:12:24 16[KNL] creating delete job for ESP CHILD_SA with SPI cdf3bb01 and reqid {1}
    Oct  2 20:12:24 15[IKE] <peer-UNTANGLE-IP-tunnel-0|2> establishing CHILD_SA peer-UNTANGLE-IP-tunnel-0
    Oct  2 20:12:36 04[KNL] creating delete job for ESP CHILD_SA with SPI c901c909 and reqid {1}
    Oct  2 20:12:49 06[KNL] creating delete job for ESP CHILD_SA with SPI c091737b and reqid {1}
    Oct  2 20:12:56 02[KNL] creating delete job for ESP CHILD_SA with SPI ccbb4583 and reqid {1}
    Oct  2 20:13:00 15[KNL] creating delete job for ESP CHILD_SA with SPI c70594d1 and reqid {1}
    Oct  2 20:13:10 05[KNL] creating delete job for ESP CHILD_SA with SPI c1a01924 and reqid {1}
    Oct  2 20:13:24 08[KNL] creating delete job for ESP CHILD_SA with SPI cb5494cd and reqid {1}
    Oct  2 20:13:27 15[KNL] creating delete job for ESP CHILD_SA with SPI cfa9437c and reqid {1}
    Oct  2 20:13:38 03[KNL] creating delete job for ESP CHILD_SA with SPI ca93fe6d and reqid {1}
    Oct  2 20:13:42 05[KNL] creating delete job for ESP CHILD_SA with SPI cfed3cea and reqid {1}
    Oct  2 20:13:59 02[KNL] creating delete job for ESP CHILD_SA with SPI cd6e7f46 and reqid {1}
    Oct  2 20:14:12 04[KNL] creating delete job for ESP CHILD_SA with SPI c3d93568 and reqid {1}
    Oct  2 20:14:22 06[KNL] creating delete job for ESP CHILD_SA with SPI c3bbf2f6 and reqid {1}
    Oct  2 20:14:30 14[KNL] creating delete job for ESP CHILD_SA with SPI c63bf525 and reqid {1}
    Oct  2 20:14:40 04[KNL] creating delete job for ESP CHILD_SA with SPI c0192c10 and reqid {1}
    Oct  2 20:15:00 06[KNL] creating delete job for ESP CHILD_SA with SPI cc74fb7f and reqid {1}
    Oct  2 20:15:06 16[KNL] creating delete job for ESP CHILD_SA with SPI cba53906 and reqid {1}
    Oct  2 20:15:09 15[KNL] creating delete job for ESP CHILD_SA with SPI c283c6e7 and reqid {1}
    Not sure what i'm looking at. I know i'm using IKEv2 on both sites and that's about it. It looks like the key expired?

  6. #6
    Newbie
    Join Date
    May 2018
    Posts
    6

    Default

    Found it. I had to adjust the key expiry time on the UNTANGLE side for the IKEv2 to 3600.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2