site-to-site VPN works, but no ping/traffic

StefanZ

Trying to migrate the pinned up VPN connections from my F50 to the F200H.
Remote is a F200.

Set up the connection with the same parameters, worked on the first try.
Connection is steady – but no traffic is possible.
IKEv2 PSK
Phase 1
DES/MD5
AES128/SHA1
3DES/SHA1
DH2
Phase 2
AES128/SHA1
3DES/SHA1
DES/SHA1
DH2

local is 192.168.1.0/24, remote is 192.168.0.0/24

I cannot ping anything – neither from F200H, nor the F200 – added two Security Policies on both sides to allow pings back/forth. I can see the packets leaving in the log of the sender, but nothing is received.
It's in the LAN zone of the F200H

PeterUK

I would suggest using V1.10(ABWV.1) as newer has problems

I will do some testing here

StefanZ

There is a newer firmware? 👻

My current firmwares:

USG FLEX 200H V1.10(ABWV.1) 2023-11-20 15:22:57

USG FLEX200 5.37(ABUI.2) 2024-01-24 02:43:53

USG FLEX50 5.37(ABAQ.2). 2024-01-24 02:40:10

PeterUK

In my setup I have USG60W

VLAN4093 192.168.252.0/23

with tunnel FLEX200H Ge3 192.168.254.10/29 as WAN to LAN2 192.168.254.9/29 on USG60W

VLAN47 on FLEX200H 192.168.255.32/28

To ping 192.168.255.40 from 192.168.253.1 a routing rule on USG60W might be needed

incoming VLAN4093

destination IP19216825532

next hop VPN Tunnel

Gwtoflex200H_local2

Then a Policy Control rule

On Flex200H you may need to do the same thing depending on your setup but the VPN remote IP Policy looks to be checked before routing rules but next hop would be the interface the tunnels goes out on along with Policy Control rule from the tunnel so in my case from GE3 to VLAN47 but recommend you enter a source address subnet which GE3 would be from a VPN zone.

ping back to 192.168.253.1 also works fine