UPDATE: this fix does not work with UDM 1.9.0 and Controller 6.1.61
The IPsec VPN created with the UI on a UniFi Dream Machine (UDM) does not let traffic originating on the UDM properly traverse the VPN tunnel. This can be corrected by adding an IP address to the tunnel vti interface at both ends of the tunnel.
This applies to:
- UDM Version: 1.8.6
- Controller Version: 6.0.43
Add the IP address to the UDM with this command. GitHub on_boot can do this this automatically. Also set the MTU of the interface to accommodate the IPsec overhead
- ip a add 192.168.17.2/29 dev vti64
- ip link set dev vti64 mtu 1436 # equates to MSS 1408
Add an IP address to a USG with this command. The MTU is already properly set on a USG.
- set interfaces vti vti64 address 192.168.17.1/29
This can all be tested with ping. Both vti interfaces should be pingable as well as the USG and UDM LAN interfaces and LAN clients.
No comments:
Post a Comment