Routing problem ikeV1/ipsec VPN
Freshman Member
Hi everyone
I'm trying to setup a remote client vpn between my pc and an USG FLEX 50. I've already configured similar connections in the past and I hadn't any trouble, but, this time, I can't make it work. Basically, the vpn is configured on the usg via configuration wizard, then i export the config to a zyxel vpn client and start the connection. The client looks like it's connected to the usg, but i can't ping anyting behind the firewall. Enabling logs I can see icmp requests being forwarded to the network clients behind the firewall but I can't see any packet going in the opposite direction. I've tried also to enable mode config and assign a local ip address to the remote vpn client, and then setup a policy route that directs the traffic to the modeconfig ip range to the vpn tunnel but It doesn't work
Ping to the firewall works.
Any clue?
I'm trying to setup a remote client vpn between my pc and an USG FLEX 50. I've already configured similar connections in the past and I hadn't any trouble, but, this time, I can't make it work. Basically, the vpn is configured on the usg via configuration wizard, then i export the config to a zyxel vpn client and start the connection. The client looks like it's connected to the usg, but i can't ping anyting behind the firewall. Enabling logs I can see icmp requests being forwarded to the network clients behind the firewall but I can't see any packet going in the opposite direction. I've tried also to enable mode config and assign a local ip address to the remote vpn client, and then setup a policy route that directs the traffic to the modeconfig ip range to the vpn tunnel but It doesn't work
Ping to the firewall works.
Any clue?
0
All Replies
-
Hi @DOK,Could you send the startup-config.conf to me in private message? Thanks
0 -
Hi @DOK,The assigned IP pool for IPSec VPN clients conflicts with lan1 192.168.11.0/24. Please assign other IP pool for IPSec VPN client. For example: 192.168.21.240-192.168.21.250.
0 -
Hi, done but still the same results.
0 -
subnet 192.168.11.0/24 is the local lan, there are some clients and a nas. That's the nas' ip address, It's online, it can ping other clients and answers to a ping from anywhere. I can only reach the usg, i can ping it, ssh, and access to the webgui. I had the same result even without changing the mode config pool to a different subnet as you suggested. And even without enable mode active, the only thing i can reach is the lan side of the firewall.0
-
also there is this.. If I start a network scan of the 192.168.11.0/24 subnet from the vpn, this is (part of) the log on the firewall
as you can see it forwards each packet but i can't see any response coming back.
0 -
Can you packet capture on USG FLEX 50 192.168.11.x ICMP and see if pings are going out.
Maybe ICMP to them IP's are blocking requests by firewall?0 -
hi
this is the capure
192.168.11.34 is the nas i'm trying to reach through the vpn and the only client on the 192.168.11.0/24 subnet (excluding the usg which is the gateway and dns server)
0 -
Hi @DOK,Please give me the remote access of USG FLEX 50 in private message. I'll establish IPSec VPN to your USG FLEX 50 and check the symptom remotely. Thanks!0
Zyxel Employee
Guru Member
Categories
- All Categories
- 429 Beta Program
- 2.6K Nebula
- 163 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 350 USG FLEX H Series
- 291 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 261 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 82 Security Highlight
