ZyWall vti trunk, don't work some sites
Master Member
Build ipsec vti trunk beetween 2 ZyWall USG 1100 like this instruction https://kb.zyxel.ru/hc/ru/articles/115002596454-%D0%9F%D1%80%D0%B8%D0%BC%D0%B5%D1%80-%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B8-%D0%B1%D0%B0%D0%BB%D0%B0%D0%BD%D1%81%D0%B8%D1%80%D0%BE%D0%B2%D0%BA%D0%B8-IPSec-VPN-%D1%82%D1%83%D0%BD%D0%BD%D0%B5%D0%BB%D0%B5%D0%B9-%D0%B2-%D1%83%D1%81%D1%82%D1%80%D0%BE%D0%B9%D1%81%D1%82%D0%B2%D0%B0%D1%85-%D1%81%D0%B5%D1%80%D0%B8%D0%B8-ZyWALL-USG
After that users from second area can't connect to some sites in Internet, like vk.com or sberbank.ru via vti.
If I add policy route to this sites direct via WAN interface, not vti trunk, they work correctly.
Don't fragmentation enable, via simple ipsec vpn all work perfectly
Accepted Solution
-
Hi @alexey,The problem is on the MTU size of the vti interface.After we increase the MTU size from 1300 to 1500, there is no problem accessing two websites through vti trunk.Firmware shall be ready in early November and I will send you the firmware via private message.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community5
Zyxel Employee
All Replies
-
Hi @alexey,
The vti trunk you created in Trunk > User Configuration is only used for VPN load balancing, so we use the vti trunk in policy route to achieve VPN failover.
You don't have to replace the SYSTEM_DEFAULT_WAN_TRUNK with vti_trunk.
In this way, PCs in LAN can still access the Internet via its own WAN trunk, not via the vti_trunk.
Here is the configuration in Trunk for your reference.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
No, we need that site B goes to Internet via vti trunk with site A. And add policy route with all from local on site B to vti trunk with site A. Some sites don't open from site B. Early was simple ipsec with reserved gateways from sites, site B goes to internet perfectly. Ipsec vpn and vti trunk in ipsec zone. Its not problem with firewall rules.0
-
Hi @alexey,The problem is on the MTU size of the vti interface.After we increase the MTU size from 1300 to 1500, there is no problem accessing two websites through vti trunk.Firmware shall be ready in early November and I will send you the firmware via private message.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community5 -
It sounds great! Thanks. I'm waiting new firmware.0
-
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
