cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Peterson <jpeter...@acentek.net>
Subject RE: VPC VPN Connectivity Issues
Date Wed, 02 Sep 2015 20:29:21 GMT
So I'm still tracking this down.  Since the VR can get out to the world and the VM's can get
to the world I'm still thinking its and issue with VPN clients connected to VR may be a ACL
issue.

So below is from my mysql queries.

Here is my ACL ID 3 for Corey
SELECT * FROM cloud.network_acl;
3	Corey	8b4c3002-8773-428c-9536-582493b1a7f8	20	Corey	1

So I want to see everything where acl_id=3 and ok they are running some websites on the servers
port 80 and 443 are open ingress where others are specific ip allowed in and then allowing
out.
SELECT * FROM cloud.network_acl_item where acl_id=3;
5	0e107538-80ff-4666-b09a-30c54cde9693	3	80	80	Active	tcp	2015-08-11 12:48:07			Ingress	1
Allow	1
6	5fea9b0d-5aa5-47cd-a3d8-61ffd5c9f53b	3	443	443	Active	tcp	2015-08-11 12:48:23			Ingress
2	Allow	1
17	c7d83d09-f258-424d-9420-f172e5c9b144	3			Active	all	2015-08-28 14:14:09			Egress	3	Allow
1
18	6d2ee38b-d072-4e86-b042-1bc0b8fc83d7	3			Active	all	2015-08-28 15:07:06			Ingress	4	Allow
1
11	bdcfc67b-1e77-436f-93d3-a53fa133722f	3			Active	all	2015-08-19 14:41:19			Ingress	5	Allow
1
19	2038c27e-4339-457c-868b-579ff556608c	3			Active	all	2015-08-28 16:21:39			Egress	6	Allow
1
21	d3890db8-037e-45e7-9dbc-6d75940d74fd	3			Active	all	2015-08-28 16:38:44			Ingress	7	Allow
1
14	c26ea73c-e86d-4987-8dae-fc7b62607578	3			Active	all	2015-08-26 18:25:27			Ingress	8	Allow
1
15	ed568a95-fddb-44a2-b2dc-ba309f2c1e0a	3			Active	all	2015-08-27 13:58:20			Ingress	9	Allow
1

Like I described below 5 &6 allow all ip's to connect to ports 80 & 443.  11 allows
my VPN networking 10.1.2.0/24 ingress.  14 was remote management to the servers allowed in.
15 allows my IPSec tunnel ingress. 17 allows all of my ip's egress. 18 was to get one of the
VPN users into the system without VPN as he needed to do some work. 19 and 21 were added to
allow VPN clients ingress and egress hoping something would stick to the wall
SELECT * FROM cloud.network_acl_item_cidrs;
5	5	0.0.0.0/0
6	6	0.0.0.0/0
11	11	10.1.2.0/24
14	14	#.#.#.#/30
15	15	192.168.71.0/24
17	17	0.0.0.0/0
18	18	#.#.#.#/32
19	19	10.1.2.0/24
21	21	10.1.2.0/24

And still.  When I VPN into the VPC VR and I set the TCP/IP Advanced options to Use default
gateway on remote network. I cannot route past 10.1.2.1 if I try to tracert to the world 8.8.8.8
		
Jeremy

-----Original Message-----
From: Jeremy Peterson [mailto:jpeterson@acentek.net] 
Sent: Tuesday, September 1, 2015 2:19 PM
To: users@cloudstack.apache.org
Subject: Re: VPC VPN Connectivity Issues

So I have yet to see anyone respond to this.

I will be looking more into it tomorrow but if anyone has any suggestions that would be great.

Basically since the VPC network CIDR is 192.168.2.0/24 while the VPN network is 10.1.2.0/24
 I am having issues with using a split tunnel setup connecting to servers that are on the
192.168.2.0/24 network and then also connecting to a Site2Site IPSec tunnel network 192.168.71.0/24.

So I change it to a Full Tunnel and then they cannot route pass the VPC Gateway 10.1.2.1 but
then can ping 192.168.2.X servers and they can ping 192.168.71.X clients.

Jeremy
________________________________________
From: Jeremy Peterson <jpeterson@acentek.net>
Sent: Saturday, August 29, 2015 8:43 PM
To: users@cloudstack.apache.org
Subject: RE: VPC VPN Connectivity Issues

I have set firewall rules to allow 192.168.71.0/24 And 10.1.2.0/24. Still no Internet without
split tunneling over vpn.

Jeremy

Sent from my Verizon Wireless 4G LTE smartphone


-------- Original message --------
From: Jeremy Peterson <jpeterson@acentek.net>
Date: 8/29/2015 10:00 AM (GMT-06:00)
To: users@cloudstack.apache.org
Subject: VPC VPN Connectivity Issues

I am not sure if this was asked or answered but googling has led me no where.


I am running cloudstack 4.5.0,  XenServer 6.5, Advanced networking w/ VLAN segmentation.


I have a VPC setup which i am using a IPSec tunnel back to a zywall firewall and a monowall
firewall.


Monowall                    Cloustack VPC            zywall

192.168.1.0/24            192.168.2.0/24        192.168.71.0/24


Tunnels are setup in vpc for both locations and servers in cloudstack can connect to the world
and connect to the monowall and zywall networks.


Everything is fine with that but when I have a remote user that needs to VPN into the cloudstack
VPC is where i am thrown into a whirlwind of questions.


I setup a VPN connection on the VR for the VPC.

I setup username/password.


The user sets up the connection on his Mac OSX and using split tunnel can connect to the VPN.


My VPN network is 10.1.2.0/24


He receives a 10.1.2.3 ip address.


He is unable to ping the IPSec Tunnel gateways 192.168.1.1 and 192.168.71.1.


He can get to the world as his default gateway is his router.


I switched to push all traffic over the VPN to remove the split tunnel.


He is able to ping the 10.1.2.1 gateway on the VR


He is able to ping his gateway the VPC router 10.1.2.1.


He is able to ping the VPC network's gateway 192.168.2.1

He is unable to get to the world.  I try to ping google dns 8.8.8.8 and it doesnt' get past
the VR 10.1.2.1 in traceroutes.

I am looking for help on this as i'm confused.  If I change him back to a split tunnel as
that would be prefered why is the tunnel not annoucing all networks know to the VR.

I was able to recreate this issue on windows 8.1.

?Jeremy

Mime
View raw message