Can't route traffic into VPN tunnel

2»

All Replies

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    So what interface does 10.11.244.232/29 on?
  • MicheleP
    MicheleP Posts: 10  Freshman Member
    First Comment Third Anniversary
    It belongs to the "fake" subnet (see https://mysupport.zyxel.com/hc/en-us/articles/360003321659--ZyWALL-USG-How-to-configure-VPN-SNAT-on-Zyxel-gateways) the other side of the tunnel wants our clients appear. So: our clients relays on 10.0.0.0/255.255.255.0 in our local subnet, but they must appear as 10.11.244.232/29 at the other side of the tunnel; it works correctly with NAT configured on the VPN connection
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2020
    I see...not done a  "fake" subnet with site to site only with local policy with the true LAN subnet.

    I see if I can do this setup for testing.

    Edit thinking about it could the problem be your LAN1 or LAN2 subnet not be the same as the "fake" subnet size?
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2020

    So I got the setup here working between a USG40 and Zywall 110 even over a SSL VPN and yes you do need the routing rule but I think I'm right about the subnet size for Inbound/Outbound traffic NAT the Source NAT for source looks like needs to be the same subnet size as SNAT and same for destination NAT original IP to mapped IP and the USG needs to do 1:1 NAT if your LAN subnet is bigger then the fake subnet it can't map all your IP's 1:1.


  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2020

    Playing around with the setup something odd happens with source NAT if source subnet is bigger then SNAT.


    Two ways around this.

    If LAN is 192.168.138.0/28 fake it to be smaller to fit in SNAT so you have LAN as 192.168.138.0/28 but only 192.168.138.2 – 192.168.138.6 can go to site to site mapped to 10.255.255.2-10.255.255.6.


    or SNAT the whole source to a single SNAT IP 


  • MicheleP
    MicheleP Posts: 10  Freshman Member
    First Comment Third Anniversary
    Yes Peter, I confirm what you say

Security Highlight