USG Flex 700 / VPN

Options
IZ_LB
IZ_LB Posts: 2
Friend Collector First Comment

Hello,

I have some questions about VPN connections on a USG Flex 700, in "on premise" configuration.

The USG is connected to a distant site by an IPsec tunnel with VTI configuration (and static routes). On LAN, we have some VLAN, and only one (VLAN20) must access the distant network through the tunnel. The distant servers must be joined too by DNS names. The DNS distributed on VLAN20's DHCP is the Zywall.

About DNS : On the router, in configuration → system → DNS and in the "Domain Zone Forward" I have written the two DNS servers on the distant network, but when I try to ping a server from VLAN20 with his name that doesn't work. If I setup the DNS with the adress of the distant servers, no problem (and tried on a PC with "host" file, works too), but for me It's not a good way to manage It.

About VPN : We have to setup mobile VPN on the Flex 700, but the clients on this VPN must access the distant network over the IPSEC VTI tunnel. For the moment that doesn't work but I think because on the distant router (which I don't manage) there isn't a static route for the subnet used by the mobile VPN, to make back route working. But I'm asking myself if there is a particular configuration for connexion between VPN ? I have another interrogation about that : the SSL VPN give addresses to clients on a subnet but L2TP over IPsec give addresses on a range. Will It work in the same way, no matter the mobile VPN solution chosen ? Usually I use SSL VPN but my customer use Apple Mac and It seems to me the SSL VPN Mac software is not free unlike PC software.

About Nebula : I know there is no SSL VPN available on Nebula, so If the L2TP over IPsec must be used, is it better to do it on premise or Nebula mode ?

Thanks a lot :D

Regards

All Replies

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 1
    Options

    About DNS : On the router, in configuration → system → DNS and in the "Domain Zone Forward" I have written the two DNS servers on the distant network, but when I try to ping a server from VLAN20 with his name that doesn't work. If I setup the DNS with the adress of the distant servers, no problem (and tried on a PC with "host" file, works too), but for me It's not a good way to manage It.

    The Domain Zone Forward has no way of forwarding down a VPN tunnel and will forward out a WAN interface

    unless…the DNS server is on the same subnet as  IPSEC VTI tunnel then Private DNS Server set should work

    Only way I have found is client at 192.168.10.2 (left) has DNS 10.10.10.20 which then forwards to your DNS servers for name that side

  • IZ_HL
    IZ_HL Posts: 2
    First Comment
    Options

    Thanks for your answer. So you setup DNS on a client with VTI address on the other side of the tunnel ?

    "The Domain Zone Forward has no way of forwarding down a VPN tunnel and will forward out a WAN interface"

    Why is there written "tunnel" on the DNS settings ?

    Thanks a lot,

    Regards

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    You can try to create a static route on flex700

    Destination : Distant servers IP

    subnet mask : 255.255.255.255 (single host for DNS query)

    Interface = Vlan20 Interface IP

    firewall should be able to send out DNS query via vlan20 interface IP to remote subnet for local out traffic.

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 4
    Options

    Why is there written "tunnel" on the DNS settings ?

    guess it should say Private

    It could be a bug as tested by auto to the remote end 10.0.0.2

    192.168.255.50 > DNS to Zywall 192.168.255.49 > over VTI 10.0.0.1 > 10.0.0.2

    as you can see it don't work

    but if the client have 10.0.0.2 for DNS

    192.168.255.50 > DNS to 10.0.0.2 > over VTI 192.168.255.50 > 10.0.0.2

    then it works

  • IZ_HL
    IZ_HL Posts: 2
    First Comment
    Options

    Thanks for these informations. So, the DZF seems not working at attended ?

Security Highlight