Can't Access Opposite Web Interface Across Site-to-Site VPN

NEP
NEP Posts: 61  Ally Member
First Anniversary 10 Comments Friend Collector
Hello. We have a Site-to-Site IPSEC VPN set up between two sites. From either site we can access all resources (eg. computers, servers, APs), but we can't access the web interface of the opposite side's ATP via its internal IP. The connection simply times out and we don't see anything listed in the logs. However, we can access the web interface using the external IP of the opposite site. Not sure if it relates, WWW is visible to all but access is blocked except if listed in the trusted IP group. What are we missing? Thanks!

Best Answers

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2022 Answer ✓
    Hi @NEP,
    Add these policy routes for ZyWALL to ZyWALL through policy-base IPSec VPN.
    SiteA
      
    Routing
        Incoming - ZyWALL
        Destination - vpn20 (192.168.20.0/24)
        Next-Hop - vpn20

    SiteB
      Routing
        Incoming - ZyWALL
        Destination - vpn10 (192.168.10.0/24)
        Next-Hop - vpn10

  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector
    Answer ✓
    Thank you very much everyone! The issue is now fixed. Part of the issue was as @zyman2008 had said. There was no policy route configured for the ZyWALL back to the "requesting" IP. The other issue was that we have a VLAN at one site and not the other. I was using the wrong routing destination (ie. the site's subnet, as opposed to the VLAN I was on). Simple things :-( Anyway, thank you again.
«1

All Replies

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    The logs of ATP at the remote endpoint register the attempted access?
  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector
    It wasn't, so I just added a policy to log it. It shows in the Logs now as "Web Forward" but access still doesn't work.
  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2022

    Tested here with a VPN300 to USG40 works here.

    Do you have an routing rule?

    The routing rule should be like

    incoming interface

    member g5 your local LAN

    destination the remote subnet

    next hop

    type VPN tunnel

    VPN tunnel your sitetosite

    on the other end

    policy control

    from zone of tunnel

    to Zwall

    you should be able to connect to the remote LAN gateway IP


  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector
    For routing, SiteA has Incoming "any (excluding ZyWALL)", Destination remote site subnet, and Next-Hop the IPSEC tunnel. This allows us to connect to any remote IP (except for their ZyWall). For Policy Control, SiteB has a policy of: From IPSEC tunnel, To ZyWALL, Source any, and Dest any.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @NEP
    You may have a try to enable ignore "Don't Fragment" setting in IPv4 header" in VPN setting first.

  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector
    Hi @Zyxel_Stanley. Does this have to be done on one or both sides of the tunnel? Currently, they are both unchecked, nor would I have changed that setting. Accessing the opposite device used to work, which is what's strange. It seems like a routing issue, just unsure why I can't find anything in the logs.

    When looking at that setting, I noticed that "Use Policy Route to control dynamic IPSec rules" is checked on one side, but not the other. Would that cause an issue. Don't know what that setting is or why the original person, who configured the ATP, might have turned it on. That same person configured both sides, so it's odd that they didn't enable it on both.
  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    @NEP From the local site, can you ping the "internal" ip address of the ATP at the remote site?
    From the diagnostic on the local Zyxel device, can you ping the internal ip address of the ATP at the remote site?

    Last but not least: does network policy include the remote device "internal" ip address?
    For instance...
    Local site 192.168.10.0/24. Remote site 192.168.20.0/24Into local site as remote network I specified the whole 192.168.20.0/24 subnet, Ip "internal" address of the remote site is 192.168.20.1 and i can ping or http access to it. Moreover... There's no rule into remote ATP that do not allow 192.168.10.0/24 to access to HTTPS management.
  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2022

    The default is:

    "Use Policy Route to control dynamic IPSec rules" unchecked

    ignore "Don't Fragment" setting in IPv4 header" checked


  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector
    @mMontana: No. Ping does not work from a device at the local site to the remote site's Zyxel device. Nor does the ping work from the Diagnostics tab of the local site to the remote site.

    As for network policy, not sure what you mean by that exactly. Too many similar things named "policy". Then again, I am not that familiar with it. Anyway, on the local device, Network > Routing has an entry for the VPN (Source any, Dest 192.168.20.0/24, Next-Hop VPN. The remote site has the entry in reverse (Source any, Dest 192.168.10.0/24, Next-Hop VPN). Neither site has a Policy Control entry pertaining to the other site.

    As stated before, not sure if it matters, I can ping and access every IP (that is set up to respond) on either side of the tunnel except for the Zyxel firewall devices themselves.

    @PeterUK: Thanks for the info. I'll look into it a little more and then make the change.
  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector
    Does anyone have any other thoughts on this?

Security Highlight