We have a number of sites that run Unifi UDMP’s as their edge/firewall router. These sites all connect to a VyOS AWS EC2 instance that handles all routing between sites via L2TP/IPSEC vpn connections. So, think like a hub-and-spoke topology with the VyOS router instance as the hub, and each office site as the spokes.
We had one of the VIPs homes setup this same way, however he was previously using a Sonicwall TZ model and we swapped it out for a dream machine. This VIP’s home has a static WAN IP on the outside interface of an ISP provided XFinity router/modem combo to which we do not have access. The UDMP is (presumably) NAT’d behind this XFinity router, or XFinity is in bridged mode.
When looking at the vpn’s state while SSH’d into the UDMP, it shows as “connecting” forever and the tunnel never comes up.
So here's the configuration:
VyOS WAN:
1.1.1.1
XFinity WAN:
2.2.2.2
XFinity LAN:
10.0.0.1/24
UDMP WAN:
10.0.0.174/24
UDMP LAN:
172.29.6.0/23
Need the VyOS (and all sites connected to it) to communicate with 172.29.6.0/23 network.
IPSEC tunnel on UDMP set up as follows:
Manual IPSEC Site 2 Site VPN
all necessary remote subnets added
vpn enabled
Peer IP: 1.1.1.1
Local WAN IP: 2.2.2.2 (Xfinity's WAN)
Preshared key correct, IKEv2, AES-256, SHA1, IKE DH group 2, ESP DH group 2, PFS enabled, dynamic routing enabled
What am I doing wrong here? Been googling a long time on this one. I gave the UDMP the same IP on it’s WAN side that the previous SonicWall used between UDMP and XFinity. I don’t have access to the XFinity so I can only assume that it’s either in bridged mode, or forwarding ports/NAT because the L2TP tunnel previously traversed the XFinity… so I’m thinking the problem should be on the UDMP configuration?
