No traffic with VPN site-to-site with 2 USG behind router

Options
Good morning,

i have 2 firewalls (USG40 + ATP100) and i created a site to site IPSEC VPN. The vpn connects correctly, but I cannot pass traffic from one side to the other.
Both firewalls are behind routers.
I followed this guide using the steps related to the configuration behind the router: https://support.zyxel.eu/hc/it/articles/360000719120-Come-configurare-VPN-da-sito-a-sito-IPSec-mentre-un -site-is-behind-a-NAT-router

I hope someone can help me, thanks

All Replies

  • PeterUK
    PeterUK Posts: 2,758  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Post pic of the config for both ends with advanced view 

    Do you see anything blocked in logs
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,073  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @s4it_federico

    Could you share the site-to-site VPN behind NAT topology with IP address to us? as below:
    Site A LAN subnet<=>(LAN)USG40(WAN:private IP) <=>ISP A Router <=Internet=> ISP B Router => (WAN:private IP)ATP100(LAN) <=> Site B LAN subnet   
    What are LAN subnet domains(with IP range) cannot transfer traffic between Site A and Site B? What kind of traffics do you transfer(such as FTP)? When the traffic cannot be transferred, are there any security policies or UTM features blocked messages that can be observed on the Monitor Log page?
    Thanks.

  • s4it_federico
    Options
    Site A 192.168.0.0<=>(192.168.0.1)USG40(WAN:192.168.99.2) <=>192.168.99.1 (public 185....) <=Internet=> (public  93....) 192.168.5.1 => (WAN:192.168.99.2)ATP100(192.168.10.1) <=> Site B 192.168.10.0

    VPN Connection ATP100


    VPN Connection USG40


    VPN Gateway ATP100


    VPN Gateway USG40

  • PeterUK
    PeterUK Posts: 2,758  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2022
    Options

    For the ATP100 thats connected to a router doing NAT have you set DMZ to 192.168.5.2? or try nailed-up on the ATP100 with the USG40 connected router DMZ to 192.168.99.2

    Have you enabled Policy Control for from WAN to zywall UDP 500 and 4500

    Does the status show connected?

    Is Use Policy Route to control dynamic IPSec rules unchecked?


  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    The "Casa" side has a dynamic IP?

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,073  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Site A 192.168.0.0<=>(192.168.0.1)USG40(WAN:192.168.99.2) <=>192.168.99.1 (public 185....) <=Internet=> (public  93....) 192.168.5.1 => (WAN:192.168.99.2)ATP100(192.168.10.1) <=> Site B 192.168.10.0

    Hi @s4it_federico

    You could add policy route and security policy on USG40, ATP100 sites, as below:

    USG40

    (1). To create a policy route (Network > Routing > Policy Route)

    Incoming: Interface

    Member : lan
    Source IP: 192.168.0.0/24
    Destination IP: 192.168.10.0/24(Site ATP100)
    Next-hop: VPN tunnel, select the VPN tunnel to Site ATP100
    (2). To create a Security Policy (Security Policy > Policy Control)
    From: 192.168.0.0/24
    To: IPSec_VPN
    Source IP: 192.168.0.0/24
    Destination IP: 192.168.10.0/24(Site ATP100)
    Action: allow

     

    ATP100

    (1). To create a policy route (Network > Routing > Policy Route)

    Incoming : Interface

    Member : lan
    Source IP: 192.168.10.0/24
    Destination IP: 192.168.0.0/24(Site USG40)
    Next-hop: VPN tunnel, select the VPN tunnel to Site USG40
    (2). To create a Security Policy (Security Policy > Policy Control)
    From: 192.168.10.0/24
    To: IPSec_VPN
    Source IP: 192.168.0.0/24
    Destination IP: 192.168.10.0/24(Site USG40)
    Action: allow

     

  • valerio_vanni
    valerio_vanni Posts: 64  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Site A 192.168.0.0<=>(192.168.0.1)USG40(WAN:192.168.99.2) <=>192.168.99.1 (public 185....) <=Internet=> (public  93....) 192.168.5.1 => (WAN:192.168.99.2)ATP100(192.168.10.1) <=> Site B 192.168.10.0
    Are you sure about the bold part?
    WAN 192.168.99.2 cannot reach its gateway 192.168.5.1, if you don't set a large netmask.

    Another thing: ISP routers are forwarding needed ports to Zyxel devices?
  • s4it_federico
    Options
    Site A 192.168.0.0<=>(192.168.0.1)USG40(WAN:192.168.99.2) <=>192.168.99.1 (public 185....) <=Internet=> (public  93....) 192.168.5.1 => (WAN:192.168.99.2)ATP100(192.168.10.1) <=> Site B 192.168.10.0
    Are you sure about the bold part?
    WAN 192.168.99.2 cannot reach its gateway 192.168.5.1, if you don't set a large netmask.

    Another thing: ISP routers are forwarding needed ports to Zyxel devices?
    Sorry, my error the WAN is not (WAN:192.168.99.2)ATP100 but (WAN:192.168.5.2)ATP100

Security Highlight