DNS query via vti

d1CC

Hi ZyXel Team,

we´ve got the same issue at a customer from us.

2x USG60 (Datacenter1 and Datacenter2 - Site to Site)

The VTI IPSec Connection is up and active but no traffic, if you want i can send you the config of both USGs for analyzing.

Thanks in advance

Zyxel_Charlie

Hello d1CC,
Have you added the Policy routing on device? The policy routing will let both datacenter can communicate with each other. 
Here is example from FAQ as your reference.
Link:
https://businessforum.zyxel.com/discussion/721/how-can-i-configure-ipsec-site-to-site-vpn-by-using-vti-on-the-usg#latest

Charlie 

sebastian

Thank you for the reference. Nevertheless the issue is not the TCP traffic between Site to Site.
The problem is the UDP traffic via DNS that the source IP is the wan interface and not the local vlan. 
Policy route doesn't change the behavior. I'm still waiting for the Zyxel support to come back to me. 

Zyxel_Charlie

Hello sebastian,
I tested it locally, and UDP traffic can flow in VTI tunnel.
Server

Client

I think UDP packet is over MTU on your scenario cause traffic(drop) cannot send to another side. 
However, to avoid this issue, you need to enable Ignore "Don't Fragment" Setting in IPv4 header(Enable this to fragment packet larger than MTU), and check it again after flush all session via CLI(Enter "debug conntrack flush"). 

Charlie

sebastian

Thank you for the quick reply. 
I do not see any affect. The nslookup is still not working. TCP traffic is working fine based on the policy routes. 

Zyxel_Charlie

Hello sebastian,
If the issue still appear after you enable "Don't Fragment" Setting in IPv4 header" and Enter "debug conntrack flush", please capture the packets from LAN interface on both side when the issue is happening. I want to see what may go wrong by analyzing the packet.
Here I show you the procedure so that you can capture packets from the device directly.


Otherwise, please PM me configuration of both device.
Charlie

sebastian

Hello Charlie,

the package trace I have forwarded you via PM. The problem isn't that UDP & TCP traffic is forwarded via vti1 interface. The problem is that the Source IP of the DNS package is my wan1 interface IP and not the IP of the vlan interface. 
E.g. I'm doing a dig I see traffic going to the vti1 interface but with the wrong Source IP. If I do the same with dig @DNS Server via vti1 I'm getting the correct response. Reason in the first dig the Source IP of the package is my wan1 interface and in the second point it is the vlan IP.

Best regards,
Sebastian 

Zyxel_Charlie

Hello Sebastian,
As I tested it with UDP session locally, and do the packet captured on VTI interface on both side.
The source Ip is host IP not Wan interface IP. Here is my result, please check it. Link:  https://drive.google.com/file/d/1tTrr8oIeihSN2ToKbjvy63AGcjci5hQe/view?usp=sharing
Could you share the remote access of this case via PM for checking?
Charlie

warwickt

lalaland said:

Hi,

I have similar case in the past, but the scenario is SIte to Site IP Sec vpn, the issue was solved by policy route, how about create a policy route, assign the next hop is VTI, then do the SNAT?

Hi lalalnd, Brilliant!. . many thanks for this SNAT tip. You bewdy!.. works a treat!

Policy Route:

• existing Policy Route: incoming:any , source:USG60_LAN1_Subnet, dest: USG40_LAN_Subnet, next-hop: vti2 , SNAT: none
• added this Policy Route : incoming:any , source:USG60_LAN1_Subnet, dest: REMOTE_USG40, next-hop: vti2 , SNAT: outgoing-interface

I've an USG60 & USG40 both at firmware V4.30 deployed over Hong Kong metro LAN 10 KM's apart using VTI and two different business ISP's

TCP traffic works great.

Like the OP I had this same issue accessing the remote ZYWALL USG's from the other over a VTI  as IPSec_VPN to ZyWALL  for 

• remote DNS
• ssh (management)
• https (WEB UI)

Anyway, this has made my week!.

Thanks heaps for the tip and 感谢您的帮助。中国新年快乐

Cheers mate!
Warwick
Hong Kong

warwickt

Hi All those interested, I have updated a similar post with pertinent information at

https://businessforum.zyxel.com/discussion/1338/resolving-lan-hostnames-when-connected-to-vpn#latest

This post described using a Domain Forwarder rule specifically with PUBLIC DNS SERVER , with VTI1 end and Query = auto.

HTH

WarwickT

Hong Kong