Site2Site VPN Tunnel, inbound Traffic blocked

Martin64
Martin64 Posts: 4
edited April 2021 in Security

Hello,

I´ve a strange problem with the USG 110 and an IKEv1 Tunnel...

The Tunnel is up and running, but the inbound traffic from the zone "IPSec_VPN" to the lan1 subnet/zone is always blocked. I don´t even get a block/denied entry in the logs.

If I do a connection check (Monitor --> VPN-Monitor --> IPSec) it always fails, I can see this ICMP check on the remote firewall, the remote firewall responds back, but this response get blocked on the USG without any log entry! On this page the "Inbound" counter stays always zero. Routing on the USG should be fine, as I can see the ICMP packets on the remote firewall.

The VPN firewall rules on the USG are as followed:

lan1 --> IPSec_VPN src=lan1 --> dst=vpn_subnet

IPSec_VPN --> lan1 src=vpn_subnet --> dst=lan1

I´ve tried it also with zone checking only and the rest to "any". I´ve tried it with everything "any", no luck.

Interesting is, I´ve another USG 110 running which is behind an LTE Router with a dynamic WAN IP address, and it works with the rules above! Here I´ve a fix WAN-IP with a DSL connection and the USG blocks the inbound VPN traffic...


The only way it works is, when I disable the firewall mechanism (enable policy control)... --> so the routing on the remote firewall is ok.

I´ve restarted the USG, no luck. The only blocking rule I have is the default deny rule on the bottom of the list.

Has anyone an idea?


Thanks!

Comments

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Martin64,

    We need the configuration file to check the symptom. I will contact you in private message for more information.

  • After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.


    To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...


    From=WAN --> To=Zywall   src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)


    So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).

    Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.


    This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.


    So keep that in mind if you are working with version 4.31 - 4.35

  • After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.


    To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...


    From=WAN --> To=Zywall   src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)


    So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).

    Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.


    This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.


    So keep that in mind if you are working with version 4.31-4.35

  • After some additional tests and upgrading the Zywall from 4.31 to 4.35 which hasn´t solved anything, I´ve now solved the problem.


    To allow the remote network traffic (the local subnet on the other side) coming from INSIDE of the tunnel, you have to configure an extra rule...


    From=WAN --> To=Zywall   src=restricted to the public peer IP of the remote side(optional of course, but highly recommended)


    So for some kind of reason the Zywall handles the remote subnet in the tunnel as "WAN" traffic and not as "IPSec_VPN" traffic (as configured as "Zone" in the Phase 2 settings).

    Another thing is, you don´t need this WAN-to-Zywall rule for establishing the tunnel, interesting, cause this would be the "real" WAN traffic where the public IP on both sides build the tunnel.


    This is definitely not the case with version 4.20 (my working setup)! In this version the traffic inside the tunnel is handled correctly as IPSec_VPN. I don´t have here a WAN to Zywall rule, and even the tunnel establishing works without that rule.


    So keep that in mind if you are working with version 4.31-4.35

Security Highlight