USG40 - VPN Traffic VPN2Internet/VPN2LAN and back

IWAT

Hi,
I set up a IKE VPN with my USG40. The VPN establishing works well, but i don't get any internet or LAN access. In the Logs it looks like the traffic goes through VPN2any, but nothing comes back, but i doesn't see any block in the Log.
What could cause thath error?

Br

VPNConnection.jpg

VPNGateway.jpg

VPNLog.jpg

VPNSecurityPolicy1.jpg

VPNSecurityPolicy2.jpg

Zyxel_Emily

Hi @IWAT,

Please send the startup-config.conf to me in private message. Thanks!

IWAT

Hi Emily

Thanks for you help, but the Startup config contains my whole network with PW.
I would prefer to send you some print screens instead.

Br Iwat

Zyxel_Emily

Hi @IWAT,

We will need the whold startup-config.conf to check if all setting are correctly configured. Before sending the configuration file to me, you can remove this line from the configuration file.

"username admin encrypted-password xxxxxx user-type admin"

PeterUK

Your WAN1 being a 192.168.x.x is no need to hide but when clients get 192.168.x.x over the VPN is not conflict with other subnets?

You may need to SNAT VPN traffic out the WAN by routeing rule unless the router upstream of USG40 does static route for the VPN clients that get 192.168.x.x

IWAT

Hi Peter

The DHCP from the USG is 192.168.2.20 - 192.168.2.200. The VPN gets usually a 192.168.60.xx address, therefore it shouldn't get any conflict. To test it i changed the VPN Adress to 192.168.2.25x, but the error is the same.

Br Ivo

PeterUK

Keep VPN clients on another subnet to not conflict

Change Local policy to 0.0.0.0

Make routing rule

incoming VPN tunnel
next hop WAN
SNAT outgoing-interface

Policy Control
IPSec_VPN to WAN
and IPSec_VPN to LAN1

note that access to a PC on LAN1 may have a firewall blocking you

IWAT

I have added the Routing rule, the Policy Control has already been created.
But it is still not working.

VPN_Policy_Route.jpg

VPN_Policy_VPN2LAN.jpg

VPN_Policy_VPN2WAN.jpg

IWAT

I have no idea why, but it works now…