Domain Controller over VPN BGP Dynamic Route

DavideGatta

Hello

we have an issue with out Zyxel USG110 trying to connect a remote host over a VPN configured with VTI/BGP, so there is no need for static routes.
In this scenario, we cannot get the Zyxel contact the remote Domain Controller (Ping fails). 
The solutions suggeted in other old post (static route to remote host) is not viable because of BGP (it does work for remot ehost over a "classic" VPN, with no VTI nor BGP).

The remote networks work, the issue is related to Zyxel only.

how can be Zyxel configured in order to contact succesfully remote host over such a VTI/BGP VPN scenario?

Blabababa

So the VPN connection is up or even you can't bring up the VPN tunnel? What's the topology of your network? Is there any ISAKMP/IPSec...etc related error log showing on the USG110 log

DavideGatta

VPN is UP and running
un brief topology is as follow:
LAN - Zyxel - VPN - remote Firewall - DC

from LAN it is possible to contact remote DC
VPN Clients (once L2TP VPN is connected) can contact remote DC

no error is present in log monitoring

Zyxel_Jerry

Hi @ DavideGatta

Please check the  configuration on your device.
Here is the BGP over VTI settings. 

The router ID must the same as VTI  interface, and the neighbors please fill in with peer VTI interface IP address.

The neighbors settings please follow below settings.
Since the Neighbors IP address is using VTI interface IP address, no need select VTI interface as Update Source in the neighbors settings.

DavideGatta

No @ Zyxel_Jerry

It does not work

the router is connected via VPN to two AWS VPC (BGP over VTI) and via VPN to one Azure Virtual Network (Static Route over VTI)

the AWS VPN is configured according the parameters supplied by AWS
because of this, I have 4 VTI for 2 VPN (AWS require redundancy) and I cannot satsfay the first condition you sugges (Router ID must be VTI Address) and, accordinng AWS instruction, Router ID is the Public IP address of the router

I Repeat: VPN traffic works correctly but if I Connect to Zywall via Putty, from inside the Putty session I cannot Ping any remote host over these VPN

Zyxel_Jerry

Hi @ DavideGatta

To verify the case, please have a check on the host under AWS site and collect the packet on it.

We would like to check when Zywall 110 try to ping the host, does the host receive the packet or not.

DavideGatta

Hi @Zyxel_Jerry

the host in AWS site does receive packet from the zyxel

here is the relevant log

2021-07-12 12:36:25 ALLOW ICMP a.b.c.d 172.31.15.1 - - 0 - - - - 8 0 - RECEIVE

(a.b.c.d is the IP Address of one of the two vti of the zyxel for the AWS VPN)

so it seems that the Zyxel can contact the host but it does not receive any answer...

Zyxel_Jerry

Hi @ DavideGatta

You can collect the packet on VTI interface on USG110 and check if there is any packet ack from the host in the file.

DavideGatta

Zyxel_Jerry said:

Hi @ DavideGatta

You can collect the packet on VTI interface on USG110 and check if there is any packet ack from the host in the file.

Hi @Zyx@Zyxel_Jerry

the remote host can connect to the device if it is pinging to internal LAN Interface of the Zyxel.

I think that The Zyxel should present itself with the Internal LAN IF IP address, not with the VTI IP.
in Static Routes scenario when the Zyxel try to connect remote host, it does with the Internal IP Address and it does successfully.

How can implement this config?

Zyxel_Jerry

Hi @ DavideGatta

You can go to policy route settings and check if there is SNAT on the settings.

You can select the SNAT as none to disable it.

DavideGatta

SNAT is disabled