Can't Access Opposite Web Interface Across Site-to-Site VPN
Hello. We have a Site-to-Site IPSEC VPN set up between two sites. From either site we can access all resources (eg. computers, servers, APs), but we can't access the web interface of the opposite side's ATP via its internal IP. The connection simply times out and we don't see anything listed in the logs. However, we can access the web interface using the external IP of the opposite site. Not sure if it relates, WWW is visible to all but access is blocked except if listed in the trusted IP group. What are we missing? Thanks!
0
Best Answers
-
Hi @NEP,
Add these policy routes for ZyWALL to ZyWALL through policy-base IPSec VPN.
SiteA
Routing
Incoming - ZyWALL
Destination - vpn20 (192.168.20.0/24)
Next-Hop - vpn20
SiteB
Routing
Incoming - ZyWALL
Destination - vpn10 (192.168.10.0/24)
Next-Hop - vpn10
0 -
Thank you very much everyone! The issue is now fixed. Part of the issue was as @zyman2008 had said. There was no policy route configured for the ZyWALL back to the "requesting" IP. The other issue was that we have a VLAN at one site and not the other. I was using the wrong routing destination (ie. the site's subnet, as opposed to the VLAN I was on). Simple things :-( Anyway, thank you again.0
All Replies
-
The logs of ATP at the remote endpoint register the attempted access?
0 -
It wasn't, so I just added a policy to log it. It shows in the Logs now as "Web Forward" but access still doesn't work.0
-
Tested here with a VPN300 to USG40 works here.
Do you have an routing rule?
The routing rule should be like
incoming interface
member g5 your local LAN
destination the remote subnet
next hop
type VPN tunnel
VPN tunnel your sitetosite
on the other end
policy control
from zone of tunnel
to Zwall
you should be able to connect to the remote LAN gateway IP
0 -
For routing, SiteA has Incoming "any (excluding ZyWALL)", Destination remote site subnet, and Next-Hop the IPSEC tunnel. This allows us to connect to any remote IP (except for their ZyWall). For Policy Control, SiteB has a policy of: From IPSEC tunnel, To ZyWALL, Source any, and Dest any.
0 -
Hi @NEP
You may have a try to enable ignore "Don't Fragment" setting in IPv4 header" in VPN setting first.
0 -
Hi @Zyxel_Stanley. Does this have to be done on one or both sides of the tunnel? Currently, they are both unchecked, nor would I have changed that setting. Accessing the opposite device used to work, which is what's strange. It seems like a routing issue, just unsure why I can't find anything in the logs.
When looking at that setting, I noticed that "Use Policy Route to control dynamic IPSec rules" is checked on one side, but not the other. Would that cause an issue. Don't know what that setting is or why the original person, who configured the ATP, might have turned it on. That same person configured both sides, so it's odd that they didn't enable it on both.
0 -
@NEP From the local site, can you ping the "internal" ip address of the ATP at the remote site?
From the diagnostic on the local Zyxel device, can you ping the internal ip address of the ATP at the remote site?
Last but not least: does network policy include the remote device "internal" ip address?
For instance...
Local site 192.168.10.0/24. Remote site 192.168.20.0/24. Into local site as remote network I specified the whole 192.168.20.0/24 subnet, Ip "internal" address of the remote site is 192.168.20.1 and i can ping or http access to it. Moreover... There's no rule into remote ATP that do not allow 192.168.10.0/24 to access to HTTPS management.0 -
The default is:
"Use Policy Route to control dynamic IPSec rules" unchecked
ignore "Don't Fragment" setting in IPv4 header" checked
0 -
@mMontana: No. Ping does not work from a device at the local site to the remote site's Zyxel device. Nor does the ping work from the Diagnostics tab of the local site to the remote site.
As for network policy, not sure what you mean by that exactly. Too many similar things named "policy". Then again, I am not that familiar with it. Anyway, on the local device, Network > Routing has an entry for the VPN (Source any, Dest 192.168.20.0/24, Next-Hop VPN. The remote site has the entry in reverse (Source any, Dest 192.168.10.0/24, Next-Hop VPN). Neither site has a Policy Control entry pertaining to the other site.
As stated before, not sure if it matters, I can ping and access every IP (that is set up to respond) on either side of the tunnel except for the Zyxel firewall devices themselves.
@PeterUK: Thanks for the info. I'll look into it a little more and then make the change.
0 -
Does anyone have any other thoughts on this?
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight