cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Peterson <>
Subject RE: VPC VPN Connectivity Issues
Date Wed, 02 Sep 2015 20:29:21 GMT
So I'm still tracking this down.  Since the VR can get out to the world and the VM's can get
to the world I'm still thinking its and issue with VPN clients connected to VR may be a ACL

So below is from my mysql queries.

Here is my ACL ID 3 for Corey
SELECT * FROM cloud.network_acl;
3	Corey	8b4c3002-8773-428c-9536-582493b1a7f8	20	Corey	1

So I want to see everything where acl_id=3 and ok they are running some websites on the servers
port 80 and 443 are open ingress where others are specific ip allowed in and then allowing
SELECT * FROM cloud.network_acl_item where acl_id=3;
5	0e107538-80ff-4666-b09a-30c54cde9693	3	80	80	Active	tcp	2015-08-11 12:48:07			Ingress	1
Allow	1
6	5fea9b0d-5aa5-47cd-a3d8-61ffd5c9f53b	3	443	443	Active	tcp	2015-08-11 12:48:23			Ingress
2	Allow	1
17	c7d83d09-f258-424d-9420-f172e5c9b144	3			Active	all	2015-08-28 14:14:09			Egress	3	Allow
18	6d2ee38b-d072-4e86-b042-1bc0b8fc83d7	3			Active	all	2015-08-28 15:07:06			Ingress	4	Allow
11	bdcfc67b-1e77-436f-93d3-a53fa133722f	3			Active	all	2015-08-19 14:41:19			Ingress	5	Allow
19	2038c27e-4339-457c-868b-579ff556608c	3			Active	all	2015-08-28 16:21:39			Egress	6	Allow
21	d3890db8-037e-45e7-9dbc-6d75940d74fd	3			Active	all	2015-08-28 16:38:44			Ingress	7	Allow
14	c26ea73c-e86d-4987-8dae-fc7b62607578	3			Active	all	2015-08-26 18:25:27			Ingress	8	Allow
15	ed568a95-fddb-44a2-b2dc-ba309f2c1e0a	3			Active	all	2015-08-27 13:58:20			Ingress	9	Allow

Like I described below 5 &6 allow all ip's to connect to ports 80 & 443.  11 allows
my VPN networking ingress.  14 was remote management to the servers allowed in.
15 allows my IPSec tunnel ingress. 17 allows all of my ip's egress. 18 was to get one of the
VPN users into the system without VPN as he needed to do some work. 19 and 21 were added to
allow VPN clients ingress and egress hoping something would stick to the wall
SELECT * FROM cloud.network_acl_item_cidrs;
5	5
6	6
11	11
14	14	#.#.#.#/30
15	15
17	17
18	18	#.#.#.#/32
19	19
21	21

And still.  When I VPN into the VPC VR and I set the TCP/IP Advanced options to Use default
gateway on remote network. I cannot route past if I try to tracert to the world

-----Original Message-----
From: Jeremy Peterson [] 
Sent: Tuesday, September 1, 2015 2:19 PM
Subject: Re: VPC VPN Connectivity Issues

So I have yet to see anyone respond to this.

I will be looking more into it tomorrow but if anyone has any suggestions that would be great.

Basically since the VPC network CIDR is while the VPN network is
 I am having issues with using a split tunnel setup connecting to servers that are on the network and then also connecting to a Site2Site IPSec tunnel network

So I change it to a Full Tunnel and then they cannot route pass the VPC Gateway but
then can ping 192.168.2.X servers and they can ping 192.168.71.X clients.

From: Jeremy Peterson <>
Sent: Saturday, August 29, 2015 8:43 PM
Subject: RE: VPC VPN Connectivity Issues

I have set firewall rules to allow And Still no Internet without
split tunneling over vpn.


Sent from my Verizon Wireless 4G LTE smartphone

-------- Original message --------
From: Jeremy Peterson <>
Date: 8/29/2015 10:00 AM (GMT-06:00)
Subject: VPC VPN Connectivity Issues

I am not sure if this was asked or answered but googling has led me no where.

I am running cloudstack 4.5.0,  XenServer 6.5, Advanced networking w/ VLAN segmentation.

I have a VPC setup which i am using a IPSec tunnel back to a zywall firewall and a monowall

Monowall                    Cloustack VPC            zywall  

Tunnels are setup in vpc for both locations and servers in cloudstack can connect to the world
and connect to the monowall and zywall networks.

Everything is fine with that but when I have a remote user that needs to VPN into the cloudstack
VPC is where i am thrown into a whirlwind of questions.

I setup a VPN connection on the VR for the VPC.

I setup username/password.

The user sets up the connection on his Mac OSX and using split tunnel can connect to the VPN.

My VPN network is

He receives a ip address.

He is unable to ping the IPSec Tunnel gateways and

He can get to the world as his default gateway is his router.

I switched to push all traffic over the VPN to remove the split tunnel.

He is able to ping the gateway on the VR

He is able to ping his gateway the VPC router

He is able to ping the VPC network's gateway

He is unable to get to the world.  I try to ping google dns and it doesnt' get past
the VR in traceroutes.

I am looking for help on this as i'm confused.  If I change him back to a split tunnel as
that would be prefered why is the tunnel not annoucing all networks know to the VR.

I was able to recreate this issue on windows 8.1.


View raw message