Advice on policy control issue
Freshman Member
Hi Zyxel world,
I wonder if you can help please -
We've 3x USG60, connecting IPSEC to an Azure VPN Gateway, all 3x VPNs connect and remain connected but only 2x pass traffic (pings) and one does not.
The key settings look identical as far as I can tell, having compared them side-by-side, aside from the expected network addressing differences.
The networks are :
172.16.0.0/16 in azure
192.168.100.0/24 Site1
10.0.1.0/24 Site 2 *this is the site that fails to traffic
172.21.0/24 Site 3
The one that doesn't pass traffic WILL pass traffic when I switch the default rule, in Policy Control, from Deny to Allow so this would indicate it is rule related.
This is supported by the log that shows
There are 2x other deny rules in the list, deactivating those (and clicking [Apply]) doesn't allow the traffic to flow.
Im not new to firewalls but I am new to Zyxel firewalls, and I must be missing something ?
Any thoughts would be greatly appreciated !
All Replies
-
Hi @StuWit,
"Disabling the deny rules won't help; only switching the default rule helps." This could be because you lack the VPN allow policy. You can add a VPN allow policy to fix it.
Zyxel Melen0 -
If you mean default rule the last rule changing that to allow works then your just missing rule the logs will help you from what rule to make might be like
From LAN1 to VPN zone
0 -
Thank you both for your replies,
@PeterUK the logs say Security Policy Control category is the one being blocked
But there is already a Security Policy Control in place for the Zone, as we already have another VPN (172.20.200.0/24 compared to Azure subnet 172.16.0.0/16)
The Zone objects already contain the default IPSec_VPN zone :
This zone automatically has both VPNs :
So it looks to me like the rules and settings are valid yet it fails to hit this rule and be satisfied.
@Zyxel_Melen do you mean that I need to create something other than the Security Policy Control rule shown above ?
0 -
So yes you need from IPsec_VPN to Zywall for service L2TP-UDP but you might as well add IKE, NATT and ESP then a rule from IPsec_VPN to where it needs to go.
0 -
Thank you @PeterUK
I have added specific rules as below for these networks to communicate :
I have disconnected and reconnected the VPN yet still pings from 172.16.0.5 to 10.0.1.101 are failing.For clarity the subnets are :
Do these rules look as you think they should ?
Interestingly when looking at the subnet I see another 172.16.0.0/12 there :
I'm not sure what this is or where it is from, but this might be a root of the issue ?0 -
I do not see a rule from IPsec_VPN to Zywall which I think is only needed for when you do L2TP over IPSec.
0 -
I'd prefer to edit my way to a solution but I'm planning to go to site on Monday and reset the router, using one of the other [working] office's backups then edit the networks to suit this office.
0 -
So it should work now? guessing you got a WAN to Zywall for the VPN?
0
Zyxel Employee
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 154 Nebula Ideas
- 103 Nebula Status and Incidents
- 5.9K Security
- 309 USG FLEX H Series
- 284 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 256 Service & License
- 397 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.7K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 77 Security Highlight
