FLEX100H: Traffic from Zywall not go through Policy-based IPsec VPN

szn
szn Posts: 16  Freshman Member
First Comment Friend Collector

Hi,

I have two sites connected by Policy-based IPsec VPN (created with wizzard) as:

Site1 Site2

-Zyxel1 ←Policy-Based IPsec VPM→ -Zyxel2

-Server1 -Server2

A VPN is working, traffic flow between Server1 and Server2.

However, I could not access Server2, from Zyxel1. There is no response to:Zyxel1> cmd ping Server2, and I could not find any events in Log related to this. Same is valid for accessing Server1 from Zyxel2. Note that I can access Server1 from Zyxel1 (Zyxel1>cmd ping Server1) and Server2 from Zyxel2

Any idea how to configure to resolve this?

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    What subnet2 are the servers on and Zyxel 1 and 2 ?

    what is setup for remote and local Policy for the site to site?

  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    Hi,

    servers are on separate subnets: S1 on 192.168.2.0/24, S2 on 192.168.64.0/24

    Remote an local polica are as follows:

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    what are the VPN settings

  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    Site 1:

    Site2:

    VPN status

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Looks like you need more policy rules from LAN to Ipsec_VPN try that

  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    Add on both sites:

    no success. On Site1 this rulle then pick trafic instead of LAN_outgoing (LAN to any (exclude Sywall).

    However traffic from Zywall stil not flow. Note, that nothing could be found in Events/Log related to cmd ping from Zyxel.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 1

    Testing here with FLEX200H and USG60W seems to work fine only problem I have was USG60W needed a routing rule to next hop VPN tunnel but the FLEX200H needed no such rule not that you can do that for tunnels at this time as the new uOS handle traffic set by remote Policy to use the VPN tunnel.

    You can try disable routing rules and see if that helps?

    Check both ends don't have each others subnets

     

  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    Hi Peter, not sure which routing rules? I do not have any rules under Routing| Policy Route:

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 1

    Ok do you have192.168.64.0/24 on site 1 or 192.168.2.0/24 on site 2 ? as that would be a problem.

  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    Site1: 192.168.2.0

    Site2:192.168.64.0

    Sorry the screnshot few post above was from Site2.