Routing to a dynamic IPSEC tunnel

SPconsult
SPconsult Posts: 6
First Comment

Hi all.

I've been banging my head on this issue and i think this is the right moment to ask for help.

This is the network topology

SITE B 192.168.172.0/24 =Dynamic IPSEC===⇒ SITE A 192.168.171.0/24 ⇐SSL VPN client 192.168.32.50

Site B USG110 V4.73 (behind a Starlink router)

Site A USG FLEX200 V5.38

SSL client secuextender v4.0.5.0

Everything works fine, i can ping Site A to B, access his resources and i can connect to Site A with SSL client.

Then we needed to reach Site B net through the SSL connection….

A route from A/ssl pool has been added towards B

Then the corresponding rule to route the traffic back

From a connected SSL client I try to access a know service on Site B lan

Nice, traffic is forwarded; i'll run a routing trace just to be sure

Non quite right, no inbound replies

When i log from site B no traffic coming from IPSEC tunnel is found to .172.2

What am i missing?

We also have a Site C, with another s2s IPSEC, not dynamic, and routing SSL through there works flawlessly.

Thanks

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 28

    I think you need

    site A

    incoming any not really the SSL VPN

    source 192.168.32.50/24

    destination 192.168.172.0/24

    next hop VPN tunnel

    On site B

    incoming LAN 192.168.172.0/24

    source 192.168.172.0/24

    destination 192.168.32.50/24

    next hop VPN tunnel

  • SPconsult
    SPconsult Posts: 6
    First Comment

    Unfortunately, this is how it is configured at the moment (except the "any" part, it doesn't work either)

    Really the only problem i can see is in the Dynamic VPN part, maybe… a bug?

    What else can i test?

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 28

    So your source  and destination are swapped in your routing rule listing?

    SSL VPN with Force all client traffic to enter SSL VPN tunnel enabled?

  • SPconsult
    SPconsult Posts: 6
    First Comment

    Are they reversed?

    Site A

    Site B

    For good measure I'll paste Site C info as well

    Site C log, from SSL to site C (Site B is forwarding)

    As i said, there's a site to site ipsec from B to C, not dynamic

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 28

    Looks correct.

    Maybe recheck IP subnets in use and move rules to the top

  • SPconsult
    SPconsult Posts: 6
    First Comment

    Did everything, even rebooted the devices, hoping that the downtime was going to be worth it.

    Nothing changed.

    How can this be? It's affecting the work of an entire branch office :(

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 28

    Wireshark 192.168.172.2 when you RDP

    on site B have your allowed from VPN tunnel zone to LAN?

  • SPconsult
    SPconsult Posts: 6
    First Comment

    Capturing traffic on 192.168.172.2

    My ip over the ssl tunnel

    These are the policies, even added a redundant one

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 28

    What happens if you disconnect site C from connecting to the tunnel?

    if needed you might have to do another site to site with local 192.168.32.50/24 remote 192.168.172.0/24 on site A then on site B local 192.168.172.0/24 remote 192.168.32.50/24

    wait! your not using "Force all client traffic to enter SSL VPN tunnel"?

  • SPconsult
    SPconsult Posts: 6
    First Comment

    Nope, not set

    Eventually, as you suggested, i created a second phase 2 with the proper networks, and everything started to work.

    Which is great, don't get me wrong, but why is a simple policy route not working in the incoming interface of site B? May i insist this is a bug that should be addressed?

    Thank you again for your idea!

Security Highlight