Can't route traffic into VPN tunnel

MicheleP
MicheleP Posts: 10  Freshman Member
First Comment Third Anniversary
edited April 2021 in Security
Hello, we successfully created a IPSec tunnel on our ZYWALL USG 200, the connection is up, but when we try to reach the remote site LAN on the other point of the tunnel, the ZYWALL tries to reach it by the standard route on internet. Already created a policy route for this but it seems to be ignored.
«1

All Replies

  • PeterUK
    PeterUK Posts: 3,500  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Does each site have a different LAN subnet?


  • MicheleP
    MicheleP Posts: 10  Freshman Member
    First Comment Third Anniversary
    Yes: our local subnet is 10.11.244.232/29 while remote subnet is 192.168.0.0/16
  • PeterUK
    PeterUK Posts: 3,500  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2020

    This should work without a routing rule uncheck “Use IPv4 Policy Route to Override Direct Route”.

    Post the packet flow explore for sitetosite VPN in maintenance from both sites.


  • MicheleP
    MicheleP Posts: 10  Freshman Member
    First Comment Third Anniversary

  • PeterUK
    PeterUK Posts: 3,500  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    and the other site setup?
  • MicheleP
    MicheleP Posts: 10  Freshman Member
    First Comment Third Anniversary
    We can't see it, it is property of PA, but I'm confident they did the right configuration because they realize several VPN site to site with different enterprise
  • PeterUK
    PeterUK Posts: 3,500  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2020
    Have you set for VPN_LOGICA_P2_C in vpn connection under related settings a zone?

    With a policy control rule from LAN1 to zone above make as log and try pinging a PC/device to 192.168.xxx.xxx and see if it shows in the logs.
  • MicheleP
    MicheleP Posts: 10  Freshman Member
    First Comment Third Anniversary
    I left the default value "IPSec_VPN" for related zone and this is not present in the dropdown list of destinations for a policy route. Anyway, I just realized that all this is not working on a server (Windows 2012) while the traffic is correctly routed in the tunnel from a client Windows 10 in the LAN. Even turning off the Windows Firewall on the server, the things don't work. The server is part of the LAN just as the client, same subnet, just it is a DC of the domain
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,518  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    There is no need add policy route for peer subnet if you establish site to site VPN.
    There is one thing need to take note, the peer subnet is 192.168.X.X/16. 
    By default, we have 192.168.2.x/24 on interface lan 2. 
    T○ avoid subnet overlap, please remove any subnet within range 192.168.X.X/16 on USG200 network interface.
  • MicheleP
    MicheleP Posts: 10  Freshman Member
    First Comment Third Anniversary
    Thanks Cooldia, in our case the subnet configured on interface lan1 and 2 were respectively 10.0.0.2/255.255.255.0 and 10.0.0.1/255.255.255.0 so there is no overlapping

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)