vpn ipsec site-to-site

IT_Field_Support
IT_Field_Support Posts: 97  Ally Member
First Comment Friend Collector Fifth Anniversary
edited April 2021 in Security

Hi,


I have an issue with an IPsec VPN site to site. I will try to explain the problem the best way possible.

Both router are USG40w fw 4.33.

The VPN between both sites is up and running but we cannot get traffic go through it.

For example on a computer on site A I initiate a ping on a computer on site B.

Capturing traffic on site A show that the packet is going out

320    1.490847    10.110.254.8    10.120.254.2    ICMP    74    Echo (ping) request  id=0x0001, seq=17225/18755, ttl=128 (no response found!)

On site B I can see the icmp traffic going in and out :

14    6.898343    10.110.254.8    10.120.254.2    ICMP    74    Echo (ping) request  id=0x0001, seq=17210/14915, ttl=124 (reply in 15)
15    6.898515    10.120.254.2    10.110.254.8    ICMP    74    Echo (ping) reply    id=0x0001, seq=17210/14915, ttl=64 (request in 14)

But I don't have the response on Site A.

I'm quiet sur it is related to policy control, i check and rechecked my rules but it seems there are okay, for example on site A.


Any advise is welcome.


Thanks a lot for your time.


Davy


EDIT 1 : If i disable policy control on Site A everything works.

All Replies

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Hi @IT_Field_Support .

    Can you ping USG on site A from comp on site B?

    Did you add policy routes from site B to site A?

    If you disable FW on both sites, ping goes?

    Did it work early? We have similar problem now, after long work time, ipsecs stops working.

    When i captured pings, same picture. Helps only change ZW ips, after that all start work properly.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @IT_Field_Support

    Can you check site A if ESP service is still in security policy “WAN_to_Device” ?

    The data traffic is running on phase2 ESP, the site A must allow ESP service from Wan to Zywall for incoming traffic.


    Security policy WAN_to_Device at “CONFIGURATION > Security Policy > Policy Control”


  • IT_Field_Support
    IT_Field_Support Posts: 97  Ally Member
    First Comment Friend Collector Fifth Anniversary

    Hi Zyxel_Cooldia !

    Thanks a lot for that information that made me find what was my problem. It was linked to that rule Wan_to_device, we were filtering the source IPv4 on a group and the IP of the remote VPN gateway included in that group was the wrong one.


    Thanks a lot for your help!


    Davy

Security Highlight