VTI Tunnel UP but LANs cannot communicate: Need help with Policy Routes and Security Policy order

mlibonati · March 30

Hi everyone,

I have successfully established a Route-based VPN using VTI between an ATP200 (Hub - Anzi) and two spokes (ATP500 - Potenza and USG60 - Venosa).

Current Status:

All VTI tunnels are UP (green lights).
I can successfully ping the remote gateway's LAN IP from the local gateway's diagnostic tool (e.g., ATP200 can ping USG60 at 10.24.253.1).
The Issue: PCs behind the firewalls cannot reach each other (Request Timed Out).

I suspect my Policy Routes or Security Policies are misconfigured or in the wrong order, preventing LAN-to-LAN traffic from entering the VTI tunnel.

My Network Details:

Anzi (Hub): 172.17.7.0/24 (ATP200)
Venosa (Spoke): 10.24.253.0/24 (USG60)
Potenza (Spoke): 10.24.254.0/24 (ATP500)

Could you please clarify:

Policy Routes: I have a general Policy Route for internet traffic (LAN to WAN Trunk). Do I need a specific Policy Route for the VTI? If so, should it be: Incoming: LAN, Source: any, Destination: Remote_LAN, Next-Hop: VTI_Interface? Does this need to be at the very top (Priority 1)?
Security Policy (Firewall): Since VTI uses a virtual interface, what are the exact Zone-to-Zone rules needed? Is LAN to IPSec_VPN and IPSec_VPN to LAN sufficient, or do I need to include the specific VTI interface in a different zone?
Routing Loop: I previously saw "TTL Expired in Transit". This happened even though Static Routes were set. Why would the ATP200 loop the traffic instead of sending it to the VTI interface?

I am attaching screenshots of my current Policy Route table and VTI settings. Any guidance on the correct "rule of thumb" for VTI traffic priority on Zyxel ATP/USG series would be greatly appreciated.

Thanks!