No traffic with VPN site-to-site with 2 USG behind router

s4it_federico

Good morning,

i have 2 firewalls (USG40 + ATP100) and i created a site to site IPSEC VPN. The vpn connects correctly, but I cannot pass traffic from one side to the other.

Both firewalls are behind routers.

I followed this guide using the steps related to the configuration behind the router: https://support.zyxel.eu/hc/it/articles/360000719120-Come-configurare-VPN-da-sito-a-sito-IPSec-mentre-un -site-is-behind-a-NAT-router

I hope someone can help me, thanks

PeterUK

Post pic of the config for both ends with advanced view 

Do you see anything blocked in logs

Zyxel_Jeff

Hi @s4it_federico

Could you share the site-to-site VPN behind NAT topology with IP address to us? as below:

Site A LAN subnet<=>(LAN)USG40(WAN:private IP) <=>ISP A Router <=Internet=> ISP B Router => (WAN:private IP)ATP100(LAN) <=> Site B LAN subnet   

What are LAN subnet domains(with IP range) cannot transfer traffic between Site A and Site B? What kind of traffics do you transfer(such as FTP)? When the traffic cannot be transferred, are there any security policies or UTM features blocked messages that can be observed on the Monitor Log page?

Thanks.

s4it_federico

Site A 192.168.0.0<=>(192.168.0.1)USG40(WAN:192.168.99.2) <=>192.168.99.1 (public 185....) <=Internet=> (public  93....) 192.168.5.1 => (WAN:192.168.99.2)ATP100(192.168.10.1) <=> Site B 192.168.10.0

VPN Connection ATP100


VPN Connection USG40


VPN Gateway ATP100


VPN Gateway USG40

PeterUK

For the ATP100 thats connected to a router doing NAT have you set DMZ to 192.168.5.2? or try nailed-up on the ATP100 with the USG40 connected router DMZ to 192.168.99.2

Have you enabled Policy Control for from WAN to zywall UDP 500 and 4500

Does the status show connected?

Is Use Policy Route to control dynamic IPSec rules unchecked?

mMontana

The "Casa" side has a dynamic IP?

Zyxel_Jeff

s4it_federico said:

Site A 192.168.0.0<=>(192.168.0.1)USG40(WAN:192.168.99.2) <=>192.168.99.1 (public 185....) <=Internet=> (public  93....) 192.168.5.1 => (WAN:192.168.99.2)ATP100(192.168.10.1) <=> Site B 192.168.10.0

Hi @s4it_federico

You could add policy route and security policy on USG40, ATP100 sites, as below:

USG40

(1). To create a policy route (Network > Routing > Policy Route)

Incoming: Interface

Member : lan
Source IP: 192.168.0.0/24
Destination IP: 192.168.10.0/24(Site ATP100)
Next-hop: VPN tunnel, select the VPN tunnel to Site ATP100
(2). To create a Security Policy (Security Policy > Policy Control)
From: 192.168.0.0/24
To: IPSec_VPN
Source IP: 192.168.0.0/24
Destination IP: 192.168.10.0/24(Site ATP100)
Action: allow

 

ATP100

(1). To create a policy route (Network > Routing > Policy Route)

Incoming : Interface

Member : lan
Source IP: 192.168.10.0/24
Destination IP: 192.168.0.0/24(Site USG40)
Next-hop: VPN tunnel, select the VPN tunnel to Site USG40
(2). To create a Security Policy (Security Policy > Policy Control)
From: 192.168.10.0/24
To: IPSec_VPN
Source IP: 192.168.0.0/24
Destination IP: 192.168.10.0/24(Site USG40)
Action: allow

 

valerio_vanni

s4it_federico said:

Site A 192.168.0.0<=>(192.168.0.1)USG40(WAN:192.168.99.2) <=>192.168.99.1 (public 185....) <=Internet=> (public  93....) 192.168.5.1 => (WAN:192.168.99.2)ATP100(192.168.10.1) <=> Site B 192.168.10.0

Are you sure about the bold part?

WAN 192.168.99.2 cannot reach its gateway 192.168.5.1, if you don't set a large netmask.

Another thing: ISP routers are forwarding needed ports to Zyxel devices?

s4it_federico

valerio_vanni said:

s4it_federico said:

Site A 192.168.0.0<=>(192.168.0.1)USG40(WAN:192.168.99.2) <=>192.168.99.1 (public 185....) <=Internet=> (public  93....) 192.168.5.1 => (WAN:192.168.99.2)ATP100(192.168.10.1) <=> Site B 192.168.10.0

Are you sure about the bold part?

WAN 192.168.99.2 cannot reach its gateway 192.168.5.1, if you don't set a large netmask.

Another thing: ISP routers are forwarding needed ports to Zyxel devices?

Sorry, my error the WAN is not (WAN:192.168.99.2)ATP100 but (WAN:192.168.5.2)ATP100