Routing to a dynamic IPSEC tunnel
Hi all.
I've been banging my head on this issue and i think this is the right moment to ask for help.
This is the network topology
SITE B 192.168.172.0/24 =Dynamic IPSEC===⇒ SITE A 192.168.171.0/24 ⇐SSL VPN client 192.168.32.50
Site B USG110 V4.73 (behind a Starlink router)
Site A USG FLEX200 V5.38
SSL client secuextender v4.0.5.0
Everything works fine, i can ping Site A to B, access his resources and i can connect to Site A with SSL client.
Then we needed to reach Site B net through the SSL connection….
A route from A/ssl pool has been added towards B
Then the corresponding rule to route the traffic back
From a connected SSL client I try to access a know service on Site B lan
Nice, traffic is forwarded; i'll run a routing trace just to be sure
Non quite right, no inbound replies
When i log from site B no traffic coming from IPSEC tunnel is found to .172.2
What am i missing?
We also have a Site C, with another s2s IPSEC, not dynamic, and routing SSL through there works flawlessly.
Thanks
All Replies
-
I think you need
site A
incoming any not really the SSL VPN
source 192.168.32.50/24
destination 192.168.172.0/24
next hop VPN tunnel
On site B
incoming LAN 192.168.172.0/24
source 192.168.172.0/24
destination 192.168.32.50/24
next hop VPN tunnel
0 -
Unfortunately, this is how it is configured at the moment (except the "any" part, it doesn't work either)
Really the only problem i can see is in the Dynamic VPN part, maybe… a bug?
What else can i test?
0 -
So your source and destination are swapped in your routing rule listing?
SSL VPN with Force all client traffic to enter SSL VPN tunnel enabled?
0 -
Are they reversed?
Site A
Site B
For good measure I'll paste Site C info as well
Site C log, from SSL to site C (Site B is forwarding)
As i said, there's a site to site ipsec from B to C, not dynamic
0 -
Looks correct.
Maybe recheck IP subnets in use and move rules to the top
0 -
Did everything, even rebooted the devices, hoping that the downtime was going to be worth it.
Nothing changed.
How can this be? It's affecting the work of an entire branch office :(
0 -
Wireshark 192.168.172.2 when you RDP
on site B have your allowed from VPN tunnel zone to LAN?
0 -
Capturing traffic on 192.168.172.2
My ip over the ssl tunnel
These are the policies, even added a redundant one
0 -
What happens if you disconnect site C from connecting to the tunnel?
if needed you might have to do another site to site with local 192.168.32.50/24 remote 192.168.172.0/24 on site A then on site B local 192.168.172.0/24 remote 192.168.32.50/24
wait! your not using "Force all client traffic to enter SSL VPN tunnel"?
0 -
Nope, not set
Eventually, as you suggested, i created a second phase 2 with the proper networks, and everything started to work.
Which is great, don't get me wrong, but why is a simple policy route not working in the incoming interface of site B? May i insist this is a bug that should be addressed?
Thank you again for your idea!
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight