ssl vpn to dynamic ipsec

Boris

Computer conneted with SSL VPN to Zywall USG in Head office can not ping device in remote office via Dymaic site to site IPSec between Head and Branch office, but it works if I configure "ordinary" site to site IPSec.

How can I fix it?

Zyxel_Melen

Hi @Boris

Please help to identify where the traffic been dropped, failure test:

1. Ping the SSL VPN IP of Zywall USG in Head office.
2. Ping the LAN interface IP of Zywall USG in Head office.
3. Ping the LAN interface IP of Zywall USG in Branch office.

In addition, did you set policy route and static route on both of your Zywall USG?

Boris

Hello,

1.Ping the SSL VPN IP of Zywall USG in Head office.

works

2. Ping the LAN interface IP of Zywall USG in Head office.

works

3. Ping the LAN interface IP of Zywall USG in Branch office.

no answer

Moreover, I can see in Zywall logs that packets successfully forwarded from SSL VPN to IPSec tunnel, but I cannot find it in Branch Office logs

Zyxel_Melen

Hi @Boris

Please help to check if you have these required configuration on both of your firewalls.

Site A:

1. Create a policy route (Network > Routing > Policy Route)
   1. source: SSL VPN subnet
   2. destination: 192.168.80.x(SiteB)
   3. next-hop: VPN tunnel, select the S2S tunnel to SiteB
2. Security Policy (Security Policy > Policy Control)
   1. From: SSL_VPN
   2. To: IPSec_VPN
   3. source: SSL VPN subnet
   4. destination: 192.168.80.x(SiteB)
   5. action: allow
3. SSL VPN Network (VPN > SSL VPN > Access Privilege)
   1. Edit the SSL VPN policy, add 192.168.80.x(siteB) into the Network List.

Site B:

1. Create a policy route (Network > Routing > Policy Route)
   1. source: 192.168.80.x(SiteB)
   2. destination: SSL VPN subnet
   3. next-hop: VPN tunnel, select the S2S tunnel to SiteA
2. Security Policy (Security Policy > Policy Control)
   1. From: LAN
   2. To: IPSec_VPN
   3. source: 192.168.80.x(SiteB)
   4. destination: SSL VPN subnet
   5. action: allow