Routing problem ikeV1/ipsec VPN

DOK
DOK Posts: 10  Freshman Member
Fourth Anniversary Friend Collector First Comment
Hi everyone
I'm trying to setup a remote client vpn between my pc and an USG FLEX 50. I've already configured similar connections in the past and I hadn't any trouble, but, this time, I can't make it work. Basically, the vpn is configured on the usg via configuration wizard, then i export the config to a zyxel vpn client and start the connection. The client looks like it's connected to the usg, but i can't ping anyting behind the firewall. Enabling logs I can see icmp requests being forwarded to the network clients behind the firewall but I can't see any packet going in the opposite direction. I've tried also to enable mode config and assign a local ip address to the remote vpn client, and then setup a policy route that directs the traffic to the modeconfig ip range to the vpn tunnel but It doesn't work
Ping to the firewall works.
Any clue?

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,370  Zyxel Employee
    Sixth Anniversary 1000 Comments 100 Answers Zyxel Certified Sales Associate
    Hi @DOK,
    Could you send the startup-config.conf to me in private message? Thanks =)

    Best regards,
    Emily

    Don't miss this great chance to upgrade your Nebula org. For free! https://bit.ly/4g2pS9L

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,370  Zyxel Employee
    Sixth Anniversary 1000 Comments 100 Answers Zyxel Certified Sales Associate
    edited October 2022
    Hi @DOK,
    The assigned IP pool for IPSec VPN clients conflicts with lan1 192.168.11.0/24. Please assign other IP pool for IPSec VPN client. For example: 192.168.21.240-192.168.21.250.

    Best regards,
    Emily

    Don't miss this great chance to upgrade your Nebula org. For free! https://bit.ly/4g2pS9L

  • DOK
    DOK Posts: 10  Freshman Member
    Fourth Anniversary Friend Collector First Comment
    Hi, done but still the same results. 



  • DOK
    DOK Posts: 10  Freshman Member
    Fourth Anniversary Friend Collector First Comment
    subnet 192.168.11.0/24 is the local lan, there are some clients and a nas. That's the nas' ip address, It's online, it can ping other clients and answers to a ping from anywhere. I can only reach the usg, i can ping it, ssh, and access to the webgui. I had the same result even without changing the mode config pool to a different subnet as you suggested. And even without enable mode active, the only thing i can reach is the lan side of the firewall.
  • DOK
    DOK Posts: 10  Freshman Member
    Fourth Anniversary Friend Collector First Comment
    edited October 2022
    also there is this.. If I start a network scan of the 192.168.11.0/24 subnet from the vpn, this is (part of) the log on the firewall



    as you can see it forwards each packet but i can't see any response coming back.
  • PeterUK
    PeterUK Posts: 3,149  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    edited October 2022
    Can you packet capture on USG FLEX 50 192.168.11.x ICMP and see if pings are going out. 

    Maybe ICMP to them IP's are blocking requests by firewall?
  • DOK
    DOK Posts: 10  Freshman Member
    Fourth Anniversary Friend Collector First Comment
    hi
    this is the capure
    192.168.11.34 is the nas i'm trying to reach through the vpn and the only client on the 192.168.11.0/24 subnet (excluding the usg which is the gateway and dns server)
     
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,370  Zyxel Employee
    Sixth Anniversary 1000 Comments 100 Answers Zyxel Certified Sales Associate
    Hi @DOK,
    Please give me the remote access of USG FLEX 50 in private message. I'll establish IPSec VPN to your USG FLEX 50 and check the symptom remotely. Thanks!

    Best regards,
    Emily

    Don't miss this great chance to upgrade your Nebula org. For free! https://bit.ly/4g2pS9L

Security Highlight