Domain Controller over VPN BGP Dynamic Route

Hello

we have an issue with out Zyxel USG110 trying to connect a remote host over a VPN configured with VTI/BGP, so there is no need for static routes.
In this scenario, we cannot get the Zyxel contact the remote Domain Controller (Ping fails). 
The solutions suggeted in other old post (static route to remote host) is not viable because of BGP (it does work for remot ehost over a "classic" VPN, with no VTI nor BGP).

The remote networks work, the issue is related to Zyxel only.

how can be Zyxel configured in order to contact succesfully remote host over such a VTI/BGP VPN scenario?
«1

All Replies

  • Blabababa
    Blabababa Posts: 121  Ally Member
    So the VPN connection is up or even you can't bring up the VPN tunnel? What's the topology of your network? Is there any ISAKMP/IPSec...etc related error log showing on the USG110 log
  • DavideGatta
    DavideGatta Posts: 7
    VPN is UP and running
    un brief topology is as follow:
    LAN - Zyxel - VPN - remote Firewall - DC

    from LAN it is possible to contact remote DC
    VPN Clients (once L2TP VPN is connected) can contact remote DC

    no error is present in log monitoring




  • Zyxel_Jerry
    Zyxel_Jerry Posts: 467  Zyxel Employee

    Hi @ DavideGatta


    Please check the  configuration on your device.
    Here is the BGP over VTI settings. 

    The router ID must the same as VTI  interface, and the neighbors please fill in with peer VTI interface IP address.



    The neighbors settings please follow below settings.
    Since the Neighbors IP address is using VTI interface IP address, no need select VTI interface as Update Source in the neighbors settings.


  • DavideGatta
    DavideGatta Posts: 7
    edited June 29
    No @ Zyxel_Jerry

    It does not work

    the router is connected via VPN to two AWS VPC (BGP over VTI) and via VPN to one Azure Virtual Network (Static Route over VTI)

    the AWS VPN is configured according the parameters supplied by AWS
    because of this, I have 4 VTI for 2 VPN (AWS require redundancy) and I cannot satsfay the first condition you sugges (Router ID must be VTI Address) and, accordinng AWS instruction, Router ID is the Public IP address of the router

    I Repeat: VPN traffic works correctly but if I Connect to Zywall via Putty, from inside the Putty session I cannot Ping any remote host over these VPN
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 467  Zyxel Employee

    Hi @ DavideGatta

    To verify the case, please have a check on the host under AWS site and collect the packet on it.

    We would like to check when Zywall 110 try to ping the host, does the host receive the packet or not.



  • DavideGatta
    DavideGatta Posts: 7
    Hi @Zyxel_Jerry

    the host in AWS site does receive packet from the zyxel

    here is the relevant log

    2021-07-12 12:36:25 ALLOW ICMP a.b.c.d 172.31.15.1 - - 0 - - - - 8 0 - RECEIVE

    (a.b.c.d is the IP Address of one of the two vti of the zyxel for the AWS VPN)

    so it seems that the Zyxel can contact the host but it does not receive any answer...
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 467  Zyxel Employee
    edited July 14

    Hi @ DavideGatta

    You can collect the packet on VTI interface on USG110 and check if there is any packet ack from the host in the file.




  • DavideGatta
    DavideGatta Posts: 7

    Hi @ DavideGatta

    You can collect the packet on VTI interface on USG110 and check if there is any packet ack from the host in the file.




    Hi @[email protected]_Jerry

    the remote host can connect to the device if it is pinging to internal LAN Interface of the Zyxel.

    I think that The Zyxel should present itself with the Internal LAN IF IP address, not with the VTI IP.
    in Static Routes scenario when the Zyxel try to connect remote host, it does with the Internal IP Address and it does successfully.

    How can implement this config?
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 467  Zyxel Employee

    Hi @ DavideGatta

    You can go to policy route settings and check if there is SNAT on the settings.

    You can select the SNAT as none to disable it.



  • DavideGatta
    DavideGatta Posts: 7
    SNAT is disabled

Security Highlight