Site2Site VPN Tunnel, inbound Traffic blocked
Hello,
I´ve a strange problem with the USG 110 and an IKEv1 Tunnel...
The Tunnel is up and running, but the inbound traffic from the zone "IPSec_VPN" to the lan1 subnet/zone is always blocked. I don´t even get a block/denied entry in the logs.
If I do a connection check (Monitor --> VPN-Monitor --> IPSec) it always fails, I can see this ICMP check on the remote firewall, the remote firewall responds back, but this response get blocked on the USG without any log entry! On this page the "Inbound" counter stays always zero. Routing on the USG should be fine, as I can see the ICMP packets on the remote firewall.
The VPN firewall rules on the USG are as followed:
lan1 --> IPSec_VPN src=lan1 --> dst=vpn_subnet
IPSec_VPN --> lan1 src=vpn_subnet --> dst=lan1
I´ve tried it also with zone checking only and the rest to "any". I´ve tried it with everything "any", no luck.
Interesting is, I´ve another USG 110 running which is behind an LTE Router with a dynamic WAN IP address, and it works with the rules above! Here I´ve a fix WAN-IP with a DSL connection and the USG blocks the inbound VPN traffic...
The only way it works is, when I disable the firewall mechanism (enable policy control)... --> so the routing on the remote firewall is ok.
I´ve restarted the USG, no luck. The only blocking rule I have is the default deny rule on the bottom of the list.
Has anyone an idea?
Thanks!
Comments
-
Hi @Martin64,
We need the configuration file to check the symptom. I will contact you in private message for more information.
0 -
After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.
To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...
From=WAN --> To=Zywall src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)
So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).
Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.
This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.
So keep that in mind if you are working with version 4.31 - 4.35
0 -
After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.
To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...
From=WAN --> To=Zywall src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)
So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).
Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.
This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.
So keep that in mind if you are working with version 4.31-4.35
0 -
After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.
To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...
From=WAN --> To=Zywall src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)
So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).
Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.
This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.
So keep that in mind if you are working with version 4.31-4.35
1
Zyxel Employee
Categories
- All Categories
- 383 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 75 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 886 Nebula FAQ
- 415 Security FAQ
- 228 Switch FAQ
- 200 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
