connect to static route ip though ipsec vpn

Options
mafois13
mafois13 Posts: 3
First Comment
edited April 2023 in Security

hello,

i have spent hours trying to find a solution but i am still stuck. here is my problem

I have set 2 static route on our zyxel usg 110 to allow my users to use our ERP which is remotely hosted. Eveyring is ok when users are on site but when they connect trough the vpn that is set on the zyxel, they can't. Any idea of what to do ?

For the record, when i am connected to the local network, i can ping the remote lan (per exemple 10.100.1.1) but when I am connected through the vpn, i can't.

Any help woould be much appreciated

Regards

Pierre

All Replies

  • CHS
    CHS Posts: 177  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    One possible solution to this issue is to configure a "new IP pool" for remote VPN clients on the USG110, and then ensure that the ERP site is configured to route traffic from this "new IP pool" back to the local site.

    You can refer to the article which provides detailed instructions on how to forward traffic to a branch site server after a client establishes a VPN tunnel:

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 754  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @mafois13 ,

    Greeting Forum, please kindly check IPSec Phase2 "Local Policy" have the ip address of ERP.

    If the issue still please kindly provide your configuration file by private message.

    Thank you

  • mafois13
    mafois13 Posts: 3
    First Comment
    Options

    Hi

    Thanks for you tip bit it doesn't work. It even breaks the VPN :)

    I'll am sending you the config file. Thanks for your help and time

    Regards

    Pierre

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 754  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @mafois13 ,

    Thanks your time today, the issue have been resolved.

    You have to add NAT rule for vpn address then ERP can be recognized that.

    (src:client VPN address , dst: ERP server , SNAT)

    Please feel free to contact us again if any concerns. Thank you

  • mafois13
    Options

    Hello

    I had to change my zyxel firewall to a new more powerful version (USG FLEX 200) and I can't make it work again. Attached is a screenshot of my settings. Can you see what I am doing wrong ?

    Regards

    Pierre

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 754  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @mafois13 ,

    As your private message said, You have resolved the issue after created two policy-routed.

    That's great, please feel free to contact us again if any concerns.

    Thank you

Security Highlight