routing issue?

Options
Chrysler
Chrysler Posts: 3
First Comment

Hi !
I have dynamic VPN (with native windows 11 client) who connect to FLEX 500 with VPN ipsec ikev2 to the site A
I have too site-to-site vpn to another flex 500 on the site B.
I want to "ping" site B from dynamic vpn.
i added routes to sent trafic to the vpn "site to site "tunnel in the next hop on the site A and the same on the site B.
In the site A i created too an other routes to forward trafic from site b to dynamic vpn.
ping doesn't work.
i need your help because, i tryed to disable policy control (to test) and doesn't work too.
i think there are a conflict but i don't fing where.

All Replies

  • PeterUK
    PeterUK Posts: 2,856  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Post your Interface listings, routing and Tunnel policy rules from both sites

  • Anthony101990Jones
    Options

    Since you’ve already set up the site-to-site VPN between Site A and Site B, we’ll focus on ensuring that traffic flows correctly between the dynamic VPN clients and Site B.

    Here are some things to check:

    Routing Configuration:
    You mentioned adding routes to send traffic to the site-to-site VPN tunnel. Make sure these routes are correctly configured on both the dynamic VPN clients and the Site A firewall.
    Verify that the next-hop IP addresses for the site-to-site VPN tunnel are accurate.

    Security Policies:
    Ensure that the security policies on both Site A and Site B allow traffic between the dynamic VPN clients and the site-to-site VPN tunnel.
    Check if there are any specific policies blocking ICMP (ping) traffic. Sometimes, security policies can inadvertently block certain protocols.

    Proxy-IDs (Traffic Selectors):
    In IPSec VPNs, proxy-IDs (also known as traffic selectors) define which traffic should be encrypted and sent over the VPN tunnel.
    Confirm that the proxy-IDs match on both sides (Site A and Site B) for the dynamic VPN clients and the site-to-site VPN tunnel.
    If proxy-IDs are misconfigured, traffic won’t flow as expected.

    Firewall Logs and Debugging:
    Enable logging on the firewalls (both Site A and Site B) to see if any traffic is being dropped or denied.
    Check the firewall logs for any relevant messages related to the dynamic VPN clients and the site-to-site VPN tunnel.
    Use debugging tools (such as packet captures or diagnostic logs) to trace the flow of traffic.

    NAT and Source/Destination Addresses:
    Verify that NAT (Network Address Translation) settings are consistent across both VPN tunnels.
    Ensure that the source and destination addresses in your ping test match the configured proxy-IDs.

    Ping Options:
    When testing, use the appropriate source IP address for the dynamic VPN clients.
    Try sending pings to public IPs (such as 8.8.8.8) or access public websites to see if the problem isn’t strictly related to VPN.
    Ping the public IP of the other WAN appliance from your local network.
    Remember that troubleshooting VPN issues often involves checking multiple components: routing, security policies, proxy-IDs, and logs.

Security Highlight