topic Re: Mobility express management through IPSec in Wireless

Mobility express management through IPSec

korky — Mon, 05 Jul 2021 20:08:29 GMT

Hi, I have IPSec remote access VPN setup on Mikrotik router. I am not able to reach WLC/ME web interface through browser. I have no problem to open any website HTTP/HTTPS when connected to VPN, only web management of WLC is an issue, SSH CLI works fine. I have no problem accessing web GUI on LAN, my PC and WLC management are in different VLANs. After entering https://ip to my browser, it asks me whether I trust certificate, I click yes and it loads to infinite. I tried different browsers too. I did a PCAP on client and also on router, there are duplicate ACKs and retransmits, also ICMP fragmentation needed messages. No split tunneling si set, MSS is adjusted on forward traffic to 1000, firewall is setup correctly as PC in VPN get same IP/subnet as in LAN also router is not overloaded. I think it can be connected with MTU/MSS. Access points 1815i were updated twice to 8.10.130 and now 8.10.142. Thank you for any relevant ideas.

Re: Mobility express management through IPSec

Jegan Rajappa — Mon, 01 Feb 2021 20:19:45 GMT

Ok, https session is not loading, did you try opening http session?

Does WLC has proper clock settings?

If the certificate is self-signed, then i would recommend to regenerate and retry

Re: Mobility express management through IPSec

korky — Tue, 02 Feb 2021 19:50:54 GMT

Time is set from NTP, which indicates "in sync". I can try to
regenerate, but in LAN it works OK. Only through tunnel it behaves strange.

Re: Mobility express management through IPSec

Jegan Rajappa — Tue, 02 Feb 2021 19:56:19 GMT

Did you try http instead of https?

Re: Mobility express management through IPSec

korky — Tue, 02 Feb 2021 20:43:53 GMT

Good point, I enabled it via CLI, but still the same, just loading. But
I can see that CLI freezes sometimes, when going through tunnel. The
issue with CLI starts when using autocomplete with TAB, after that it
freeze and I can see in PCAP TCP ACK with Analysis Flag "Previous
segment not captured (common at capture start)". Now I can see this
message on client side (browser) when i do PCAP for HTTP/HTTPS.

Re: Mobility express management through IPSec

patoberli — Thu, 04 Feb 2021 09:41:57 GMT

You can verify the MTU issue by pinging with the "do-not-fragment" bit set. All ping clients should have this option. Also try a different browser, might be a policy or cache issue on the local client.

Re: Mobility express management through IPSec

korky — Sun, 07 Feb 2021 07:10:53 GMT

ICMP Echo with DF had been tested before, also different browsers, clearing
cache and different ISPs from which I tried to establish IPSec. Finally I
found mistake, after examing PCAP, I saw, that MTU is too high, so it
seems, that change of MSS on router side is not applied. My hypothesis was
true. Policy which changes MSS was applied just one direction. Now it works
as expected, web mananagement is reachable. Thank you for all suggestions.