I have 2 UDM Pro firewalls setup with a IPsec site to site VPN, the settings are the same for both VPNs (obviously the destination IPs are reversed for each unit) I can ping traffic with IP addresses both directions. I am unable to ping any host names or FQDNs. I cannot connect to the domain, or deal with any domain services like network drives, password resets etc. Below is the current configuration and testing I have done:
Site A is 192.168.1.1/24 (UDM running DHCP for local network)
- Has about 25 previously domain connected PCs from Site B that were moved to the new office and need to be able to see Site B's server for Login Auth, Network Drive, adding new PCs to domain when the office grows etc.
Site B is 192.168.254.253/24 (UDM's DHCP is off in favor of onsite server running DHCP)
192.168.254.105
(Windows 2012 Domain Controller running DHCP/WINS, AD/DS, DNS for primary site, domain example is corporate.insertmyclienthere.com)192.168.254.19
(NAS/Share Drive)
Able to do:
- Computers on Site A can ping Site B's server IP address no problem, and vice versa, the server can also ping that machine. e.g.
ping 192.168.254.105
- Can see and login to network share with domain credentials by visiting
192.168.254.19
- Can ping both gateways from a pc on each site
Unable to do:
- Cannot Ping Host Name e.g.
ping np-dc1
- Cannot Ping FDQN e.g.
np-dc1.corporate.insertmyclienthere.com
- Cannot Connect PC to domain
A domain controller is unavailable
- Cannot reset password from domain controller and have it reflect on Site B PCs
- Cannot Login as a user that hasn't previously logged in
- Cannot find network share by visiting share name
\\nphv3
Tested:
- Disabled windows firewalls on both end to verify nothing was being blocked locally
- Disabled all IPS/Security functions
- Manually Added
192.168.254.105
to DNS on the machine at site A, and made sure toipconfig /flushdns
with no actionable results - Manually adding host names to the hosts file allows for resolution to the network drives via sharename but not to domain functions.
- Note: The previously replaced firewalls (which were older watchguard models, limited to 10/100 speeds) had no issue with this translation of data and could handle these requests, we upgraded recently to the UDM pro's for the extra throughput; to allow our new office to utilize it's new internet speeds.
DHCP on the server has both routers listed, and the DHCP on the UDM at Site A has the server 192.168.254.105
listed as the DNS/WINS issuing server
VPN Settings:
- Manual IPsec
- Enabled
- Remote Subnet: 192.168.254.0/24 (reversed on the other device)
- Route distance: 30
- Interface: WAN
- Key Version: IKEv2
- Encryption: AES-256
- Hash: SHA1
- IKE DH Group: 14
- ESP DH Group: 14
- Perfect Forward Secrecy: On
- Dynamic Routing: On
For obvious reasons I wont provide the Pre-Shared Key / Public IPs
So, you seem to have a DNS issue. One side of the VPN doesn't know about the other side.
From what we've seen, the side
A
of your connection doesn't have access to your DNS server. What you need to do is check if port53 udp/tcp
is open in that direction.