NSG VPN VLAN no connection

Lukasz
Lukasz Posts: 10  Freshman Member
First Comment Second Anniversary
edited April 2021 in Nebula
Hi All,
I have configuration like below:

NSG200 as VPN HUB with LAN interface subnet 200.126.100.0/24 and VLAN 200.126.100.0/24.

SITE-TO-SITE connection with none-nebula peer with subnet 200.126.19.0/24.

The tunnel is running well, i can ping from 200.126.19.0/24 to 200.126.100.0/24 but can't reach VLAN 200.126.100.0/24.

I was trying with policy routes on both sides. It looks like VLAN routing works only with nebula devices as with the same configuration on nebula device I can easily reach VLANs.

All Replies

  • Zyxel_Adam
    Zyxel_Adam Posts: 430  Zyxel Employee
    Zyxel Certified Network Administrator - Nebula 25 Answers First Comment Friend Collector
    Hi @Lukasz ,

    According to your description, there are things we would like to verify:
    1. Do you select the "Use VPN" on LAN interface 200.126.100.0/24 of NSG200 on your site?(When enable Use VPN, NSG will create a hidden policy route, from your LAN interface to ANY via VPN tunnel)
    2. Does the policy route of the non-nebula device choose the right VPN tunnel? 
    3. May I know what device is the non-nebula peer used?  or it's a Nebula Gateway but in different Organization?

    Adam

  • Lukasz
    Lukasz Posts: 10  Freshman Member
    First Comment Second Anniversary
    1. Yes, I did. 200.126.100.0 is reachable over VPN.
    2. I have two policies on the non-nebula device, one for  200.126.100.0/24, second for 200.126.10.0/24 (I'm sorry, my mistake in the first post, VLAN is 200.126.10.0/24).
    2. Advantech ICR-160.




  • Zyxel_Adam
    Zyxel_Adam Posts: 430  Zyxel Employee
    Zyxel Certified Network Administrator - Nebula 25 Answers First Comment Friend Collector
    edited April 2021

    Your current configuration should be following:
    Site-to-Site is established successfully.
    Device subnet:
    NSG200
    subnet-1: 200.126.10.0/24  (unreachable from ICR-160)
    subnet-2: 200.126.100.0/24(reachable from ICR-160, Use VPN selected)

    ICR-160
    subnet: 200.126.19.0/24 

    Policy route:
    ICR-160
    1. Src-IP: 200.126.19.0/24 Dst-IP: 200.126.10.0/24 next-hop: VPN tunnel
    2. Src-IP: 200.126.19.0/24 Dst-IP: 200.126.100.0/24 next-hop: VPN tunnel

    Please correct me if above information is wrong.

    Question:
    1. Do you enable Use VPN for subnet 200.126.10.0/24 of NSG200 as well?
    (If so, but you still cannot ping from subnet 200.126.19.0/24 to 200.126.10.0/24. Please help us to enable Zyxel Support, which located at HELP > Support request page, and provide us your organization name so that we could have access to investigate the issue.)

    Adam

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)