Can't Access Opposite Web Interface Across Site-to-Site VPN

Zyxel_Stanley

Hi @NEP
In VPN tunnel, "Don't Fragment" flag is enable. If VPN MSS size is less than HTTPS required then will  connection will fail.(but ICMP still available)
It is reason why "ignore "Don't Fragment" setting in IPv4 header" is enabled in default setting.

If your connection doesn't work after enabling the setting, then we may need check the issue by remote access connection.

mMontana

Sound like a firewall policy to adjust to me...

Mario

Hi @NEP

Please try to add an additional route:

Network > Routing > Static Route > Add:

Destination IP: 192.168.X.0 (Remote Subnet ; same like Remote Policy at VPN Phase2)

Subnet Mask: 255.255.255.0 (Mask of remote Subnet)

Interface: lan1 (your local Interface)

The cause of the problem is, that the target firewall send the traffic back over "defaut gateway" and ignores the policy route. You can see this if you create a trace on the target firewall.

Please let me know if this works.

Mario

NEP

@Zyxel_Stanley On both sides of the tunnel, I unchecked the "dynamic IPSEC rules" box and checked "Ignore Don't Fragment" but there is no change. Still no access. You mentioned ICMP, just to be clear, I can access and ping all devices on each network (that are set up to respond), except for the ZyWALL at each site (192.168.x.1).

SiteA
  Routing
    Incoming - Any (excluding ZyWALL)
    Destination - vpn20 (192.168.20.0/24)
    Next-Hop - vpn20
  Policy Control
    From - vpn20
    To - ZyWALL
    Any

SiteB
  Routing
    Incoming - Any (excluding ZyWALL)
    Destination - vpn10 (192.168.10.0/24)
    Next-Hop - vpn10
  Policy Control
    From - vpn10
    To - ZyWALL
    Any

Both sites have the policies listed above as their first entry. These policies are logged and I see that the traffic is forwarded to the ZyWALL. It seems like packets are getting to each ZyWALL from the other side, but it doesn't know how to send them back. @PeterUK mentioned in his post that Incoming be set to the interface. Could this be the issue? I tried adding another route with the interface set but it didn't work either.

Is there anything else that could cause this issue? If I were to turn Policy Control off at both sites, should I have access to each site's ZyWALL with just the Routing rule? Or some way to track it with logs? I just don't understand why the traffic shows as forwarded in the logs but access doesn't work.

@mMontana When you say firewall policy, you are just referring to an entry in Policy Control correct?

zyman2008

Hi @NEP,
Add these policy routes for ZyWALL to ZyWALL through policy-base IPSec VPN.
SiteA
  Routing
    Incoming - ZyWALL
    Destination - vpn20 (192.168.20.0/24)
    Next-Hop - vpn20

SiteB
  Routing
    Incoming - ZyWALL
    Destination - vpn10 (192.168.10.0/24)
    Next-Hop - vpn10

mMontana

@NEP I am referring to security policy.

PeterUK

In VPN connection for the VPN check under the Related Settings what zone is set.

NEP

Thank you very much everyone! The issue is now fixed. Part of the issue was as @zyman2008 had said. There was no policy route configured for the ZyWALL back to the "requesting" IP. The other issue was that we have a VLAN at one site and not the other. I was using the wrong routing destination (ie. the site's subnet, as opposed to the VLAN I was on). Simple things :-( Anyway, thank you again.