IPSec VPN behind routeur and DMZ

dathing89
dathing89 Posts: 11  Freshman Member
First Comment

Hello,

Using the wizard (USG FLEX 100/200), i build an IPSec vpn.

The only modification i made, is on the VPN gateway, setting "Peer ID Type" to "any" on both side.

On one side the FLEX 100 is in a DMZ, at other side, the Flex 200 is behind the provider router (fixed ip's, NAT for 50,51,500,4500,47,112 already done).

The Vpn is going up but there is no traffic (even ping does not respond).

Of course, local ping is responding on each side.

I did it running … deleted it to rebuild again (no modification made on the provider router) but not running this time… i meessed something…

Many thank's for your help…

L.

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,457  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You need to allow from VPN zone to LAN/DMZ and from LAN/DMZ to VPN zone

    note pinging a PC needs it firewall to allow inbound ICMP

  • dathing89
    dathing89 Posts: 11  Freshman Member
    First Comment

    Thank's for your reply.

    "You need to allow from VPN zone to LAN/DMZ and from LAN/DMZ to VPN zone"

    It's not created by the wizard ?

    "note pinging a PC needs it firewall to allow inbound ICMP"

    I can ping them locally

    The monitor show only Outbound Bytes from FLEX 50 (not 100 sorry)

    Thank's again.

    L.

  • PeterUK
    PeterUK Posts: 3,457  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Not sure what the wizard does I do it manually check the Zone for the VPN connection made is IPSec_VPN

  • dathing89
    dathing89 Posts: 11  Freshman Member
    First Comment

    I see IPSec_VPN_Outgoing and IPSec_VPN_to_Device in the previous message (picture 1) in policy control

    I've got it on both side

  • valerio_vanni
    valerio_vanni Posts: 113  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Can you ping the LAN address of remote router?

    Do you have some other device to ping? A PC can have local firewall.

  • dathing89
    dathing89 Posts: 11  Freshman Member
    First Comment

    "Can you ping the LAN address of remote router?"

    No.

    "Do you have some other device to ping? A PC can have local firewall."

    Yes, on each side i've got many device i can ping localy.

    PeterUK, What do you mean by "You need to allow from VPN zone to LAN/DMZ and from LAN/DMZ to VPN zone" ?

    Where i have to do it ? policy control ? on both side ?

    Thank's again to all of you…

    L.

  • PeterUK
    PeterUK Posts: 3,457  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 11

    You likely need a control control From DMZ to IPSec_VPN if the VPN connection use that zone

  • valerio_vanni
    valerio_vanni Posts: 113  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    From the image you posted (so, from the point of view of that tunnel side)

    LAN1 can go into tunnel

    DMZ cannot go into tunnel

    Tunnel can go both into LAN1 and DMZ

    You have all "allow rules", but the latest. If something does not fit into rules is blocked by default rule and the event is logged.

    So, you could look at logs.

    Firewall are able to ping each other on LAN address?

  • dathing89
    dathing89 Posts: 11  Freshman Member
    First Comment

    Hello,

    juste to be sure, a picture of our organization:

    We can ping, localy, on each side, other devices.

    We can not ping devices on other site. but we can see on "Company" monitor/vpn inboud traffic (few bytes).

    Here de policy, this is quite the same on each side:

    USG Flex on the "Branch" is in the DMZ of the provider router.

    There is nothing in USG Flex DMZ.

    i'm not sur to do the right thinks…

    Many thank's again

    L.

  • dathing89
    dathing89 Posts: 11  Freshman Member
    First Comment

    Sorry, read 192.168.11.0 instead of 192.168.20.0.

    Thx

Security Highlight