IPSec via IPSec don't work
Device use ipsec, dns and ntp protocols. DNS and NTP work fine.
All Replies
-
Hi @alexey
Can you make sure your Site2 has configured policy route which forward all of traffic into VPN tunnel first?
And also at Site1, you have to create policy route rule at for Site2 traffic.
After configured it, all Site2 of LAN1 traffic will pass to Site1 via VPN tunnel, and get reply from internet.
And then you should able get ICMP reply from your Destination server.
If still can’t get reply, you can go to Site1 diagnostics > Routing trace.
A. Enter destination server IP address, and set protocol as ICMP
B. PC send ICMP to destination IP continually.
C. Click “Capture” button and wait for 5 seconds.
It is able to make sure traffic path is forwarded by VPN tunnel or WAN interface.
0 -
Hi @Zyxel_Stanley
All routes are fine. Other devices work normal.
On problem device don't work only IPSec service, ntp & dns work properly. I can see connections from this services on main device.
We have no direct access to this device so i can't ping destination address ftom it.
0 -
Hi @alexey
You must make sure your device support initial VPN tunnel behind NAT route.
And also you still can try to send traffic to your VPN server. (initial VPN connection from your device)
It just for make sure device traffic has forwarded by correct route path.
0 -
Here flushed traffic for ipsec protocol.
It goes direct to vti tunnel.You must make sure your device support initial VPN tunnel behind NAT route.If i add custom route for this device direct via providers vpn, they work perfectly. They don't work via ipsec.
0 -
Hi @alexey
It looks your device(172.20.60.102) traffic has forwarded to peer device which build VPN tunnel with ZyWALL110.
So you can trace the packets on peer device again to make sure traffic has routed to WAN interface successfully.
And also check response packets have route back to ZyWALL110 via vit0 interface.
Filter condition is: 62.141.65.252
0 -
I can't see this packets on device on main site. It don't estabilishe any connection with remote peer, so device on site B don't have any back connections.0
-
Hi @alexey
This situation should come from your configuration or network environment issue. I will check it by private message,
0 -
we found solution.
device support gave technical requirements to network connections (MTU at least 1400).
on vti interface was set 1400. device don't connect. i changed mtu from 1300 to 1500 - nothing
i replace vti simple ipsec ike2 tunnel on all default settings.
device starts to connect via ipsec. as i see, default mtu for ipsec is 1460.
does mtu settings work on VTI?
0 -
Hi @alexey
It’s good to know your issue has resolved after changed USG VPN tunnel as IKEv2.
As your scenario, the packet will not been fragmented after enabled “Ignore "Don't Fragment" setting in IPv4 header” function.
So your issue should come from others but not relate to VTI interface MTU size.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight