Site to site Route-based and Policy-based to same IP link issue

PeterUK
PeterUK Posts: 3,118  Guru Member
Community MVP 2500 Comments Sixth Anniversary 100 Answers
edited July 19 in USG FLEX H Series

USG FLEX200HV1.21(ABWV.0)

setup is USG60W

LAN2 192.168.254.9 255.255.255.248

Gwtoflex200H_local2 Site-to-site with Dynamic Peer

Pre-Shared Key 123456789

Phase 1 AES128 SH1 DH2

local policy192.168.252.0/23

remote policy192.168.255.64/28

Phase 2 AES128 SH1 DH2

VTI_test

IP 192.168.254.10

Pre-Shared Key 12345678

Phase 1 AES128 SH256 DH2

Phase 2 AES128 SH1 DH2

VTI IP 192.168.255.43 255.255.255.240

FLEX200H

Ge3 WAN3 192.168.254.10 255.255.255.248 gateway 192.168.254.9

P4 VLAN47 192.168.255.39 255.255.255.240

P4 VLAN48 192.168.255.65 255.255.255.240
TuneltoUSG60W_local3 Site-to-site Policy-based

Pre-Shared Key123456789

Phase 1 AES128 SH1 DH2

local policy192.168.255.64/28

remote policy192.168.252.0/23

Phase 2 AES128 SH1 DH2

Nailed-up

VTI Route-based

IP 192.168.254.9

Pre-Shared Key 12345678

Phase 1 AES128 SH256 DH2

Phase 2 AES128 SH1 DH2

VTI IP 192.168.255.42 255.255.255.240

Nailed-up

So here is what happens disable Gwtoflex200H_local2 on USG60W and connect the VTI Route-based on FLEX200H connects fine then enable Gwtoflex200H_local2 and connect TuneltoUSG60W_local3 Site-to-site Policy-based it connects fine but if I disable VTI on Flex200H then enable it the VTI does not connect until you disable Gwtoflex200H_local2 and start over.

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    edited July 22 Answer ✓

    Ok solved it on how you can do this after testing with USG60W to FLEX200 the above don't work so there are two ways One is to have one IKEv1 and the other IKEv2 or if you want both IKEv2 you have the mismatch both Phase 1 and Phase 2 like I only did Phase 1 at the start.

    VTI Route-based

    Phase 1 AES128 SH256 DH2

    Phase 2 AES128 SH256 DH2

    Site-to-site Policy-based

    Phase 1 AES128 SH1 DH2

    Phase 2 AES128 SH1 DH2

    Tested between USG60W and FLEX200H with ping

All Replies

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    edited July 22 Answer ✓

    Ok solved it on how you can do this after testing with USG60W to FLEX200 the above don't work so there are two ways One is to have one IKEv1 and the other IKEv2 or if you want both IKEv2 you have the mismatch both Phase 1 and Phase 2 like I only did Phase 1 at the start.

    VTI Route-based

    Phase 1 AES128 SH256 DH2

    Phase 2 AES128 SH256 DH2

    Site-to-site Policy-based

    Phase 1 AES128 SH1 DH2

    Phase 2 AES128 SH1 DH2

    Tested between USG60W and FLEX200H with ping

  • Zyxel_Kay
    Zyxel_Kay Posts: 830  Zyxel Employee
    Second Anniversary 500 Comments 100 Answers Zyxel Certified Network Engineer Level 2 - Security

    Hi @PeterUK

    but if I disable VTI on Flex200H then enable it the VTI does not connect until you disable Gwtoflex200H_local2 and start over.

    Could you please share the IKE logs from both devices so we can investigate further?

    Kay

    Untitled Image

    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers

    Hi Kay

    I solved it as said above

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)