Site2Site VPN Tunnel, inbound Traffic blocked
Hello,
I´ve a strange problem with the USG 110 and an IKEv1 Tunnel...
The Tunnel is up and running, but the inbound traffic from the zone "IPSec_VPN" to the lan1 subnet/zone is always blocked. I don´t even get a block/denied entry in the logs.
If I do a connection check (Monitor --> VPN-Monitor --> IPSec) it always fails, I can see this ICMP check on the remote firewall, the remote firewall responds back, but this response get blocked on the USG without any log entry! On this page the "Inbound" counter stays always zero. Routing on the USG should be fine, as I can see the ICMP packets on the remote firewall.
The VPN firewall rules on the USG are as followed:
lan1 --> IPSec_VPN src=lan1 --> dst=vpn_subnet
IPSec_VPN --> lan1 src=vpn_subnet --> dst=lan1
I´ve tried it also with zone checking only and the rest to "any". I´ve tried it with everything "any", no luck.
Interesting is, I´ve another USG 110 running which is behind an LTE Router with a dynamic WAN IP address, and it works with the rules above! Here I´ve a fix WAN-IP with a DSL connection and the USG blocks the inbound VPN traffic...
The only way it works is, when I disable the firewall mechanism (enable policy control)... --> so the routing on the remote firewall is ok.
I´ve restarted the USG, no luck. The only blocking rule I have is the default deny rule on the bottom of the list.
Has anyone an idea?
Thanks!
Comments
-
Hi @Martin64,
We need the configuration file to check the symptom. I will contact you in private message for more information.
0 -
After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.
To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...
From=WAN --> To=Zywall src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)
So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).
Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.
This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.
So keep that in mind if you are working with version 4.31 - 4.35
0 -
After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.
To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...
From=WAN --> To=Zywall src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)
So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).
Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.
This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.
So keep that in mind if you are working with version 4.31-4.35
0 -
After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.
To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...
From=WAN --> To=Zywall src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)
So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).
Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.
This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.
So keep that in mind if you are working with version 4.31-4.35
1
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 102 Nebula Status and Incidents
- 5.8K Security
- 300 USG FLEX H Series
- 282 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.7K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight