IPsec VPN "site to site" USG20<-> USG40

mMontana

VPN Connection, EXTERNAL OFFICE side. 
Enable "Advanced" settings. Nailed Up is selected?

serverpal

Hi,
Error was in external zywall configuration.
LAN3 had lan 192.168.8.1 (same HEADQUARTER 192.168.8.0/24).
now I ping from external to headquarter and viceversa but not all ip.
example:
in HEADQUARTER there is:
192.168.8.2
192.168.8.7
192.168.8.8
...

from external office I ping .7 and .8 but not .2

why?

mMontana

What is 192.168.8.2?

serverpal

192.168.8.2 is a iSeries Server (as400).
from external office I can connect to headquarters by SSL secureextender client (usg40 HEADQUARTERS has SSL VPN configured), in secureextender insert HeadQuarters public IP, user and password and then get connection and I reach iSeries server by ping 192.168.8.2 but not with VPN IPSec site to site.

sadatvid

Please help to check if both USG security policy Wan to Device have service port NATT? [.](https://instasave.onl/) 

serverpal

yes, USG HEAD and USG EXTERNAL have NATT in Wan to Zywall security policy

mMontana

I am no expert at all of iSeries Server. Maybe there are some options on TCP/IP and firewall setting for allow connection from other subnets?
Moreover: does your iSeries server has the gateway configured?

PeterUK

Does 192.168.8.8 have ICMP allow on its firewall?

Is the subnet at the other end really /24 ?

Zyxel_Cooldia

Hi @sadatvid,

Does the USG40 have subnet 192.168.2.x/24?  we have default subnet 192.168.2.x/24 on LAN 2.
It would have subnet overlapping with peer USG20 LAN IP.

Default interface setting in USG.

serverpal

Hi, thank you for your help.
I can't solve connection to iSeries (AS400).
If I use Zywall secuExtender client from pc into external office I can ping As400 and connect to terminal emulation (by client access emulator port 23 telnet).
IPSec (Ikev1) works with all ip of HEADQUARTERS Lan but not with iSeries.
what is the difference?