VTI SiteA to SiteB - Is is possible to access SiteA L2TP SUBNET from SiteB over VTI?
Hi Zyxel-lads, I've a USG60 on SiteA LAN1_SUBNET (via ISP01) and SiteB USG40 LAN1_SUBNET (ISP02) at V4.30 in a solid VTI IPSEC connection for Office to Office VTI .. work great!.
SiteA LAN1_SUBNET to SiteA L2TP_SUBNET - works fine!
However I'd like to access the SiteA L2TP connections via the VTI1 from SiteB
SiteA LAN1_SUBNET to SiteB LAN1_SUBNET
SiteB LAN1_SUBNET <---> SiteA L2TP_SUBNET .. can't route it
SiteA Security Policy: I see the Forward Access in LOGs ..... then nothing .. feels like the route at Site or SiteB is incorrect.
Any clues?
B/R
Warwick
Hong Kong
SiteA LAN1_SUBNET to SiteA L2TP_SUBNET - works fine!
- 10.201.99.0/24 <---> 10.201.200.0/24 ...
However I'd like to access the SiteA L2TP connections via the VTI1 from SiteB
SiteA LAN1_SUBNET to SiteB LAN1_SUBNET
- 10.201.99.0/24 <---> 10.201.51.0/24 ... ok
SiteB LAN1_SUBNET <---> SiteA L2TP_SUBNET .. can't route it
- 10.201.51.0/24 X---X 10.201.200.0/24
- Policy Route SiteB from LAN1_SUBNET , SiteA_L2TP_subnet via Tunnel VTI1
- SiteA Security Policy Allow anything from SiteB from LAN1_SUBNET to SiteA_L2TP_subnet via Tunnel VTI1
SiteA Security Policy: I see the Forward Access in LOGs ..... then nothing .. feels like the route at Site or SiteB is incorrect.
Any clues?
B/R
Warwick
Hong Kong
0
Comments
-
For your case, I will use static route instead of policy route.
At Site A,
one static route: 10.201.51.0/255.255.255.0, next-hop: vti
At Site B,
two static routes:
10.201.99.0/255.255.255.0, next-hop: vti
10.210.200.0/255.255.255.0, next-hop:vti
0 -
Hi Lan31, a belated thank you! for this advice.
- Policy Routes for to VTI1 SiteA & SiteB = INACTIVATED
- Use IPV4 Policy Route to Overide = UNTICKED
The static routes with NEXT HOP to VTI1 results :- do NOT route from SiteA LAN1_SUBNET 10.201.99.0/24 to SiteB LAN_SUBNET 10.201.51.0/24
- however DOES work from SiteB to SiteA for 10.201.51.0/24 to 10.201.99.0/24
- '( do NOT route from SiteB LAN1_SUBNET 10.201.51.0/24 to SiteB L2TP_SUBNET 10.201.200.0/24
Any clues?
FWIW, the Policy Routes work as follows when I activate them as per my Orig Post.
0 -
Hi USG VTI users, here's the production working resolution for the original post:
Problem:
a USG60 on SiteA LAN1_SUBNET (via ISP01) and SiteB USG40 LAN1_SUBNET (ISP02) at V4.30 in a solid VTI IPSEC connection for Office to Office VTI .. work great!.
SiteA LAN1_SUBNET to SiteA L2TP_SUBNET - works fine!- 10.201.99.0/24 <---> 10.201.200.0/24 ...
SiteA LAN1_SUBNET to SiteB LAN1_SUBNET- 10.201.99.0/24 <---> 10.201.51.0/24 ... ok
SiteB LAN1_SUBNET <---> SiteA L2TP_SUBNET .. can't route it- 10.201.51.0/24 X---X 10.201.200.0/24
- Policy Route SiteB from LAN1_SUBNET , SiteA_L2TP_subnet via Tunnel VTI1
- SiteA Security Policy Allow anything from SiteB from LAN1_SUBNET to SiteA_L2TP_subnet via Tunnel VTI1
IPV4 Address Objects:
SiteA_L2TP_SUBNET: 10.201.200./0/24
SiteA_LAN1_SUBNET: 10.201.99./0/24
SiteA_VTI1_GATEWAY: 10.10.10.10
SiteA_L2TP_CONNECTION : (local Policy = WAN1_INTERFACE, VPN Gateway: SiteA_L2TP_Gateway)
SiteB_LAN1_SUBNET: 10.0.201.51.0/24
SiteB_VTI1_GATEWAY: 10.10.10.20RESOLUTION
SiteB Policy Route- Incoming: any (Excluding Zywall)
- Source: SiteB_LAN1_SUBNET
- Destination: SiteA_L2TP_SUBNET
- Next Hop: vti1
- SNAT: outgoing-interface
- Incoming: vti1
- Source: SiteB_LAN1_SUBNET
- Destination: SiteA_L2TP_SUBNET
- Next Hop: VPN Tunnel [ SiteA_L2TP_CONNECTION ]
- SNAT: none
- From: Any
- To: any (Excluding Zywall)
- Source: SiteA_VTI1_GATEWAY
- Destination: SiteA_L2TP_SUBNET
Diagnostics
- Without SiteA Policy Route from VT11 from SiteB_LAN1_SUBNET to SiteA_L2TP_SUBNET to the L2TP VPN Connection, packets would be FORWARDED to and lost
- Without SNAT on Policy Route, SiteB_LAN1_SUBNET to SiteA_L2TP_SUBNET packets FORWARDED to SiteA_L2TP_SUBNET via VTI1 tunnel and lost without a return .. (SNAT?)
- Without SiteA Security Policy, traffic from SiteA_VTI1_GATEWAY specifically destined for SiteA_L2TP_SUBNET would be BLOCKED
Conclusions
- VTI is very very cool.... especially its use to be routed easily with Policy Routes.
- I've had this issue for nearly 8 months having searched most everywhere and others with VTI capable USG appliances have also had a similar requests from others. Workarounds were to use a separate IPSEC L2TP gateway... ( works ok .. however defeats the wonderful VTI function and unnecessarily consumes up VPN Tunnel Connections on a highly utilised Zyxel USG appliance.)
- Would recommend ZYXEL add this scenario to there very very basic documentation for configuring VTI tunnels. (avoid its customer base frustration with VTI deployment) .. Zyxel_Charlie ?
- Also easily configured conversely for SITEA_LANx_SUBNET to SiteB_L2TP_SUBNET over same single VTI.
HTH
Warwick
Hong Kong
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight