USG Flex IKE v1 VPN connection to Fritz!Box
Freshman MemberHi!
First post as the community and the help posts have been very helpful throughout the past years.
We do have a setup with an USG Flex on our company site. Due to lack of time we didn't implement network segregation in the past and it was configured recently.
The USG would provide multiple interfaces (most of the virtual ones) to cater for the different subnets and the different needs of those clients.
e.g. 192.168.16.0/24 will contain all Servers
e.g. 192.168.11.0/24 will contain all NAS.
The off-site location is connected to the USG Flex using a Fritz!Box. The Fritz!Box would use Subnet 192.168.17.0/24
Config would be IKE v1 for the Gateway with a pre-shared key. The connection is established via Application Scenario Site-to-site with Dynamic Peer.
Local Policy would use the 192.168.16.0/24 subnet and Remote Policy the 192.168.17.0/24 subnet.
To allow the second subnet, we added in the Fritz!Box config file an additional line in the accesslist setup.
accesslist =
"permit ip any 192.168.16.0 255.255.255.0",
"permit ip any 192.168.11.0 255.255.255.0";
On USG Flex side we added a Policy Routing Rule:
Incoming: Interface
member: Vlan11
Source Address: Subnet 192.168.11.0/24
Destination Address: Subnet 192.168.17.0/24
Service /code: any
Schedule: none
Next-Hop:
Type: VPN Tunnel
VPN Tunnel: the configured VPN Config.
We did some testing and we can see, that the fritz!box would send the packages towards clients in the 192.168.11.0/24 subnet.
With the diagnostic Tool Routing Traces we can see that packages would be sent from VPN ID 0 to VPN ID 3 and the message would be "The packet outgoing interface: doll". Same we can see if we capture the traffic within VLAN 11, that packages would be sent back. Unfortunately on Fritz!Box side, we haven't succeeded to capture any incoming traffic for that request, nor have we been able to capture the network communication via the VPN tunnel on both sides.
Any ideas how to overcome that situation?
We tried to think of different configs like using VTI, but it looks like that Fritz!Boxes wouldn't support that kind of connection.
Thanks for your ideas.
All Replies
-
Hi @soeftel,
This seems like you lack a routing rule on Fritz!Boxes to let it know where it should send the traffic(from 192.168.11.0/24 subnet).
Please try to add a routing rule on Fritz!Boxes first.
Zyxel Melen0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 100 Nebula Status and Incidents
- 5.8K Security
- 283 USG FLEX H Series
- 278 Security Ideas
- 1.5K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 251 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 86 About Community
- 75 Security Highlight
