USG Flex 700 / VPN
Hello,
I have some questions about VPN connections on a USG Flex 700, in "on premise" configuration.
The USG is connected to a distant site by an IPsec tunnel with VTI configuration (and static routes). On LAN, we have some VLAN, and only one (VLAN20) must access the distant network through the tunnel. The distant servers must be joined too by DNS names. The DNS distributed on VLAN20's DHCP is the Zywall.
About DNS : On the router, in configuration → system → DNS and in the "Domain Zone Forward" I have written the two DNS servers on the distant network, but when I try to ping a server from VLAN20 with his name that doesn't work. If I setup the DNS with the adress of the distant servers, no problem (and tried on a PC with "host" file, works too), but for me It's not a good way to manage It.
About VPN : We have to setup mobile VPN on the Flex 700, but the clients on this VPN must access the distant network over the IPSEC VTI tunnel. For the moment that doesn't work but I think because on the distant router (which I don't manage) there isn't a static route for the subnet used by the mobile VPN, to make back route working. But I'm asking myself if there is a particular configuration for connexion between VPN ? I have another interrogation about that : the SSL VPN give addresses to clients on a subnet but L2TP over IPsec give addresses on a range. Will It work in the same way, no matter the mobile VPN solution chosen ? Usually I use SSL VPN but my customer use Apple Mac and It seems to me the SSL VPN Mac software is not free unlike PC software.
About Nebula : I know there is no SSL VPN available on Nebula, so If the L2TP over IPsec must be used, is it better to do it on premise or Nebula mode ?
Thanks a lot :D
Regards
All Replies
-
About DNS : On the router, in configuration → system → DNS and in the "Domain Zone Forward" I have written the two DNS servers on the distant network, but when I try to ping a server from VLAN20 with his name that doesn't work. If I setup the DNS with the adress of the distant servers, no problem (and tried on a PC with "host" file, works too), but for me It's not a good way to manage It.
The Domain Zone Forward has no way of forwarding down a VPN tunnel and will forward out a WAN interface
unless…the DNS server is on the same subnet as IPSEC VTI tunnel then Private DNS Server set should workOnly way I have found is client at 192.168.10.2 (left) has DNS 10.10.10.20 which then forwards to your DNS servers for name that side
0 -
Thanks for your answer. So you setup DNS on a client with VTI address on the other side of the tunnel ?
"The Domain Zone Forward has no way of forwarding down a VPN tunnel and will forward out a WAN interface"
Why is there written "tunnel" on the DNS settings ?
Thanks a lot,
Regards
0 -
You can try to create a static route on flex700
Destination : Distant servers IP
subnet mask : 255.255.255.255 (single host for DNS query)
Interface = Vlan20 Interface IP
firewall should be able to send out DNS query via vlan20 interface IP to remote subnet for local out traffic.
0 -
Why is there written "tunnel" on the DNS settings ?
guess it should say Private
It could be a bug as tested by auto to the remote end 10.0.0.2
192.168.255.50 > DNS to Zywall 192.168.255.49 > over VTI 10.0.0.1 > 10.0.0.2
as you can see it don't work
but if the client have 10.0.0.2 for DNS
192.168.255.50 > DNS to 10.0.0.2 > over VTI 192.168.255.50 > 10.0.0.2
then it works
0 -
Thanks for these informations. So, the DZF seems not working at attended ?
0 -
Hello,
Thanks, that way ?
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight