Can't route traffic into VPN tunnel
All Replies
-
So what interface does 10.11.244.232/29 on?1
-
It belongs to the "fake" subnet (see https://mysupport.zyxel.com/hc/en-us/articles/360003321659--ZyWALL-USG-How-to-configure-VPN-SNAT-on-Zyxel-gateways) the other side of the tunnel wants our clients appear. So: our clients relays on 10.0.0.0/255.255.255.0 in our local subnet, but they must appear as 10.11.244.232/29 at the other side of the tunnel; it works correctly with NAT configured on the VPN connection0
-
I see...not done a "fake" subnet with site to site only with local policy with the true LAN subnet.
I see if I can do this setup for testing.
Edit thinking about it could the problem be your LAN1 or LAN2 subnet not be the same as the "fake" subnet size?1 -
So I got the setup here working between a USG40 and Zywall 110 even over a SSL VPN and yes you do need the routing rule but I think I'm right about the subnet size for Inbound/Outbound traffic NAT the Source NAT for source looks like needs to be the same subnet size as SNAT and same for destination NAT original IP to mapped IP and the USG needs to do 1:1 NAT if your LAN subnet is bigger then the fake subnet it can't map all your IP's 1:1.
1 -
Playing around with the setup something odd happens with source NAT if source subnet is bigger then SNAT.
Two ways around this.
If LAN is 192.168.138.0/28 fake it to be smaller to fit in SNAT so you have LAN as 192.168.138.0/28 but only 192.168.138.2 – 192.168.138.6 can go to site to site mapped to 10.255.255.2-10.255.255.6.
or SNAT the whole source to a single SNAT IP
1 -
Yes Peter, I confirm what you say0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight