Can't Access Opposite Web Interface Across Site-to-Site VPN

NEP

Hello. We have a Site-to-Site IPSEC VPN set up between two sites. From either site we can access all resources (eg. computers, servers, APs), but we can't access the web interface of the opposite side's ATP via its internal IP. The connection simply times out and we don't see anything listed in the logs. However, we can access the web interface using the external IP of the opposite site. Not sure if it relates, WWW is visible to all but access is blocked except if listed in the trusted IP group. What are we missing? Thanks!

zyman2008

Hi @NEP,
Add these policy routes for ZyWALL to ZyWALL through policy-base IPSec VPN.
SiteA
  Routing
    Incoming - ZyWALL
    Destination - vpn20 (192.168.20.0/24)
    Next-Hop - vpn20

SiteB
  Routing
    Incoming - ZyWALL
    Destination - vpn10 (192.168.10.0/24)
    Next-Hop - vpn10

NEP

Thank you very much everyone! The issue is now fixed. Part of the issue was as @zyman2008 had said. There was no policy route configured for the ZyWALL back to the "requesting" IP. The other issue was that we have a VLAN at one site and not the other. I was using the wrong routing destination (ie. the site's subnet, as opposed to the VLAN I was on). Simple things :-( Anyway, thank you again.

mMontana

The logs of ATP at the remote endpoint register the attempted access?

NEP

It wasn't, so I just added a policy to log it. It shows in the Logs now as "Web Forward" but access still doesn't work.

PeterUK

Tested here with a VPN300 to USG40 works here.

Do you have an routing rule?

The routing rule should be like

incoming interface

member g5 your local LAN

destination the remote subnet

next hop

type VPN tunnel

VPN tunnel your sitetosite

on the other end

policy control

from zone of tunnel

to Zwall

you should be able to connect to the remote LAN gateway IP

NEP

For routing, SiteA has Incoming "any (excluding ZyWALL)", Destination remote site subnet, and Next-Hop the IPSEC tunnel. This allows us to connect to any remote IP (except for their ZyWall). For Policy Control, SiteB has a policy of: From IPSEC tunnel, To ZyWALL, Source any, and Dest any.

Zyxel_Stanley

Hi @NEP
You may have a try to enable ignore "Don't Fragment" setting in IPv4 header" in VPN setting first.

NEP

Hi @Zyxel_Stanley. Does this have to be done on one or both sides of the tunnel? Currently, they are both unchecked, nor would I have changed that setting. Accessing the opposite device used to work, which is what's strange. It seems like a routing issue, just unsure why I can't find anything in the logs.

When looking at that setting, I noticed that "Use Policy Route to control dynamic IPSec rules" is checked on one side, but not the other. Would that cause an issue. Don't know what that setting is or why the original person, who configured the ATP, might have turned it on. That same person configured both sides, so it's odd that they didn't enable it on both.

mMontana

@NEP From the local site, can you ping the "internal" ip address of the ATP at the remote site?
From the diagnostic on the local Zyxel device, can you ping the internal ip address of the ATP at the remote site?

Last but not least: does network policy include the remote device "internal" ip address?
For instance...
Local site 192.168.10.0/24. Remote site 192.168.20.0/24. Into local site as remote network I specified the whole 192.168.20.0/24 subnet, Ip "internal" address of the remote site is 192.168.20.1 and i can ping or http access to it. Moreover... There's no rule into remote ATP that do not allow 192.168.10.0/24 to access to HTTPS management.

PeterUK

The default is:

"Use Policy Route to control dynamic IPSec rules" unchecked

ignore "Don't Fragment" setting in IPv4 header" checked

NEP

@mMontana: No. Ping does not work from a device at the local site to the remote site's Zyxel device. Nor does the ping work from the Diagnostics tab of the local site to the remote site.

As for network policy, not sure what you mean by that exactly. Too many similar things named "policy". Then again, I am not that familiar with it. Anyway, on the local device, Network > Routing has an entry for the VPN (Source any, Dest 192.168.20.0/24, Next-Hop VPN. The remote site has the entry in reverse (Source any, Dest 192.168.10.0/24, Next-Hop VPN). Neither site has a Policy Control entry pertaining to the other site.

As stated before, not sure if it matters, I can ping and access every IP (that is set up to respond) on either side of the tunnel except for the Zyxel firewall devices themselves.

@PeterUK: Thanks for the info. I'll look into it a little more and then make the change.

NEP

Does anyone have any other thoughts on this?