[NEBULA] NSG Site-to-Site VPN behind NAT not working

flottmedia

We followed the way described in https://businessforum.zyxel.com/discussion/1595/nsg-site-to-site-vpn-port-forwarding and https://businessforum.zyxel.com/discussion/194/nsg-vpn-support-behind-nat to set up a Site-to-Site VPN between the two LAN1 subnets (192.168.8.0/24 and 192.168.10.0/24) of two NSG100. As the NSGs are behind external routers we also setup the NSG as exposed host in the external routers and the static routes to the NSG's subnets in the external router. VPN topology is set to Site-to-Site with NAT traversal set to the sites public IP (of the external router). Unfortunately the tunnel never comes up. All we can find in the event log on both sites is "Peer not reachable" after a few other VPN specific logs. We tried both the FQDN and the public IP as NAT traversal, but it doesn't make any difference. Under Gateway > Monitor > VPN connection each site only shows in local subnet with status "disconnected". The remote subnet and status are only shown as "-". What are we missing / doing wrong? 

Alfonso

Hi @flottmedia

Please show us your configuration.

It looks VPN gateways are not reachable from the other side.

flottmedia

Thanks for the reply, @Alfonso. What configuration detail to you think of? I thought, we described the setup rather clearly above ...?

RUnglaube

Sounds like everything is well configured.
Can you  successfully ping the public IPs between both external routers? You could also try a traceroute on NCC from one NSG to the other NSG's public IP

Zyxel_Chris

Hello @flottmedia
 
Is there any other VPN logs besides the peer not reachable?
If it is the only logs display then the possible reason will be the external gateway didn't forward the service UDP 4500 and 500 properly. Or it receive the packet itself, if this gateway support VPN tunnel as well.

/Chris

flottmedia

Thanks, @Nebula_Chris, "[...] if this gateway support VPN tunnel as well." was a good hint. We indeed already had a tunnel on the external router. After disabling that, the exposed host (NSG) was able to built up the tunnel without errors.

Nevertheless, one last and very strange issue is still happening from time to time: the external router on both sides of the tunnel also act as VoIP gateway. On one of the sites we are not able to take / make calls after we set the exposed host to the NSG. As ringing still works, I assume the NSG tries to take over the RTP packets of the VoIP calls is "sees" as exposed host instead of the external router. Is there any option to verify / disable that in NCC? If not, should we better switch to a defined port forwarding of UDP 500/4500 instead of exposing the NSG completely? Or do you have any better suggestions?

Zyxel_Chris

It could be true, can you try forward UDP 4500/500 to NSG only? And feel free to let me know if the issue persist.

flottmedia

OK, @Nebula_Chris, that worked (as expected). Nevertheless, for debugging things like that, it would be very helpful to have a few more "Live tools" in NCC for the NSGs, e.g. a Routing Table as well as an Open Ports / Connection Table would be very helpful. Are there any plans to implement things like that, or are they maybe already there somewhere and we are simply to stupid to find them?

Zyxel_Chris

We currently don't support these 3 features in live tools, may I know what do you mean of connection table?  Is which client has connect to NSG or etc...?

/Chris

flottmedia

We currently don't support these 3 features in live tools [...]

We saw that, nevertheless it would be very helpful. Are there any plans to implement at least a viewable routing table in one of the upcoming NCC versions?

[... ] may I know what do you mean of connection table? 

I was looking for something like netstat or nmap, where you can take a (live) look at currently opened ports as well as established connections. That would also be a gread amendment for the live tools section in NCC. 

Zyxel_Chris

Hello,
Thanks for your suggestion.
Those features are not in our roadmap in current stage but I can move this request to the idea section, anyone who has same opinion can have the discussion then we'll evaluate those feedback.

Cheers~