ZyWall vti trunk, don't work some sites
Master Member
Hello.
Build ipsec vti trunk beetween 2 ZyWall USG 1100 like this instruction https://kb.zyxel.ru/hc/ru/articles/115002596454-%D0%9F%D1%80%D0%B8%D0%BC%D0%B5%D1%80-%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B8-%D0%B1%D0%B0%D0%BB%D0%B0%D0%BD%D1%81%D0%B8%D1%80%D0%BE%D0%B2%D0%BA%D0%B8-IPSec-VPN-%D1%82%D1%83%D0%BD%D0%BD%D0%B5%D0%BB%D0%B5%D0%B9-%D0%B2-%D1%83%D1%81%D1%82%D1%80%D0%BE%D0%B9%D1%81%D1%82%D0%B2%D0%B0%D1%85-%D1%81%D0%B5%D1%80%D0%B8%D0%B8-ZyWALL-USG
After that users from second area can't connect to some sites in Internet, like vk.com or sberbank.ru via vti.
If I add policy route to this sites direct via WAN interface, not vti trunk, they work correctly.
Build ipsec vti trunk beetween 2 ZyWall USG 1100 like this instruction https://kb.zyxel.ru/hc/ru/articles/115002596454-%D0%9F%D1%80%D0%B8%D0%BC%D0%B5%D1%80-%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B8-%D0%B1%D0%B0%D0%BB%D0%B0%D0%BD%D1%81%D0%B8%D1%80%D0%BE%D0%B2%D0%BA%D0%B8-IPSec-VPN-%D1%82%D1%83%D0%BD%D0%BD%D0%B5%D0%BB%D0%B5%D0%B9-%D0%B2-%D1%83%D1%81%D1%82%D1%80%D0%BE%D0%B9%D1%81%D1%82%D0%B2%D0%B0%D1%85-%D1%81%D0%B5%D1%80%D0%B8%D0%B8-ZyWALL-USG
After that users from second area can't connect to some sites in Internet, like vk.com or sberbank.ru via vti.
If I add policy route to this sites direct via WAN interface, not vti trunk, they work correctly.
What could be the problem?
Don't fragmentation enable, via simple ipsec vpn all work perfectly
Don't fragmentation enable, via simple ipsec vpn all work perfectly
0
Accepted Solution
-
Hi @alexey,The problem is on the MTU size of the vti interface.After we increase the MTU size from 1300 to 1500, there is no problem accessing two websites through vti trunk.Firmware shall be ready in early November and I will send you the firmware via private message.5
Zyxel Employee
All Replies
-
Hi @alexey,
The vti trunk you created in Trunk > User Configuration is only used for VPN load balancing, so we use the vti trunk in policy route to achieve VPN failover.
You don't have to replace the SYSTEM_DEFAULT_WAN_TRUNK with vti_trunk.
In this way, PCs in LAN can still access the Internet via its own WAN trunk, not via the vti_trunk.
Here is the configuration in Trunk for your reference.
0 -
No, we need that site B goes to Internet via vti trunk with site A. And add policy route with all from local on site B to vti trunk with site A. Some sites don't open from site B. Early was simple ipsec with reserved gateways from sites, site B goes to internet perfectly. Ipsec vpn and vti trunk in ipsec zone. Its not problem with firewall rules.0
-
Hi @alexey,The problem is on the MTU size of the vti interface.After we increase the MTU size from 1300 to 1500, there is no problem accessing two websites through vti trunk.Firmware shall be ready in early November and I will send you the firmware via private message.5
-
It sounds great! Thanks. I'm waiting new firmware.0
-
0
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 165 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 364 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 262 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight
