VTI SiteA to SiteB - Is is possible to access SiteA L2TP SUBNET from SiteB over VTI?

Options
warwickt
warwickt Posts: 111  Ally Member
First Anniversary Friend Collector First Answer First Comment
edited April 2021 in Security
Hi Zyxel-lads, I've a USG60 on SiteA LAN1_SUBNET (via ISP01) and SiteB USG40 LAN1_SUBNET (ISP02) at V4.30 in a solid VTI  IPSEC connection for Office to Office VTI .. work great!.  =)

SiteA LAN1_SUBNET to SiteA L2TP_SUBNET - works fine!  :)
  • 10.201.99.0/24  <---> 10.201.200.0/24 ...   :)


However I'd like to access the SiteA L2TP connections via the VTI1 from SiteB

SiteA LAN1_SUBNET to SiteB LAN1_SUBNET  :)
  • 10.201.99.0/24  <---> 10.201.51.0/24 ...  ok

SiteB LAN1_SUBNET <--->  SiteA L2TP_SUBNET  .. can't route it  :'( 
  • 10.201.51.0/24 X---X 10.201.200.0/24 
  • Policy Route SiteB  from LAN1_SUBNET , SiteA_L2TP_subnet via Tunnel VTI1
  • SiteA Security Policy Allow anything from SiteB  from LAN1_SUBNET to SiteA_L2TP_subnet via Tunnel VTI1

SiteA Security Policy: I see the Forward Access in LOGs ..... then nothing .. feels like the route at Site or SiteB is incorrect.

Any clues?

B/R

Warwick
Hong Kong



Comments

  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    For your case, I will use static route instead of policy route.
    At Site A,
    one static route: 10.201.51.0/255.255.255.0, next-hop: vti

    At Site B,
    two static routes:
    10.201.99.0/255.255.255.0, next-hop: vti
    10.210.200.0/255.255.255.0, next-hop:vti

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Options
    Hi Lan31, a belated thank you!  :3 for this advice.

    1. Policy Routes for to VTI1 SiteA & SiteB = INACTIVATED
    2. Use IPV4 Policy Route to Overide = UNTICKED


    The static routes with NEXT HOP to VTI1 results :
    • :'( do NOT route from SiteA LAN1_SUBNET 10.201.99.0/24 to SiteB LAN_SUBNET 10.201.51.0/24
    • :)  however DOES work from SiteB to SiteA for 10.201.51.0/24 to 10.201.99.0/24  
    •  '( do NOT route from SiteB LAN1_SUBNET 10.201.51.0/24 to SiteB L2TP_SUBNET 10.201.200.0/24
    Diags: On SiteA logs , I see the Security Policy log (log-yes) for the SiteB IPSEC_VPN OUT /10.201.51/24 (over VTI1) to the SiteA L2TP_SUBNET (10.201.200.0/24) with "Access Forwarded" .. then times out.

    Any clues? 

    FWIW, the Policy Routes work as follows when I activate them as per my Orig Post.

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    edited February 2018
    Options
    Hi USG VTI users, here's the production working resolution for the original post:

    Problem:

    a USG60 on SiteA LAN1_SUBNET (via ISP01) and SiteB USG40 LAN1_SUBNET (ISP02) at V4.30 in a solid VTI  IPSEC connection for Office to Office VTI .. work great!.   
    SiteA LAN1_SUBNET to SiteA L2TP_SUBNET - works fine!   
    • 10.201.99.0/24  <---> 10.201.200.0/24 ...   
    However I'd like to access the SiteA L2TP connections via the VTI1 from SiteB
    SiteA LAN1_SUBNET to SiteB LAN1_SUBNET   
    • 10.201.99.0/24  <---> 10.201.51.0/24 ...  ok

    SiteB LAN1_SUBNET <--->  SiteA L2TP_SUBNET  .. can't route it   
    • 10.201.51.0/24 X---X 10.201.200.0/24 
    • Policy Route SiteB  from LAN1_SUBNET , SiteA_L2TP_subnet via Tunnel VTI1
    • SiteA Security Policy Allow anything from SiteB  from LAN1_SUBNET to SiteA_L2TP_subnet via Tunnel VTI1

    IPV4 Address Objects:

    SiteA_L2TP_SUBNET: 10.201.200./0/24
    SiteA_LAN1_SUBNET: 10.201.99./0/24
    SiteA_VTI1_GATEWAY: 10.10.10.10
    SiteA_L2TP_CONNECTION :  (local Policy = WAN1_INTERFACE, VPN Gateway: SiteA_L2TP_Gateway

    SiteB_LAN1_SUBNET: 10.0.201.51.0/24
    SiteB_VTI1_GATEWAY: 10.10.10.20

    RESOLUTION  B)

    SiteB Policy Route 
    • Incoming: any (Excluding Zywall)
    • Source: SiteB_LAN1_SUBNET
    • Destination:   SiteA_L2TP_SUBNET
    • Next Hop: vti1
    • SNAT: outgoing-interface  
    SiteA Policy Route
    • Incoming: vti1
    • Source: SiteB_LAN1_SUBNET
    • Destination: SiteA_L2TP_SUBNET
    • Next Hop: VPN Tunnel [ SiteA_L2TP_CONNECTION ]
    • SNAT: none
    SiteA Security Policy
    • From: Any
    • To: any (Excluding Zywall)
    • Source: SiteA_VTI1_GATEWAY
    • Destination: SiteA_L2TP_SUBNET

    Diagnostics

    1. Without SiteA Policy Route from VT11 from SiteB_LAN1_SUBNET to SiteA_L2TP_SUBNET to the L2TP VPN Connection, packets would be FORWARDED to and lost 
    2. Without SNAT on Policy Route, SiteB_LAN1_SUBNET to SiteA_L2TP_SUBNET packets FORWARDED to SiteA_L2TP_SUBNET via VTI1 tunnel and lost without a return .. (SNAT?)
    3. Without SiteA Security Policy, traffic from SiteA_VTI1_GATEWAY specifically destined for SiteA_L2TP_SUBNET would be BLOCKED

    Conclusions

    1. VTI is very very cool.... especially its use to be routed easily with Policy Routes.
    2. I've had this issue for nearly 8 months having searched most everywhere and others with VTI capable USG appliances have also had a similar requests from others. Workarounds were to use a separate IPSEC L2TP gateway... (  works ok .. however defeats the wonderful VTI function and unnecessarily consumes up VPN Tunnel Connections on a highly utilised Zyxel USG appliance.)
    3. Would recommend ZYXEL add this scenario to there very very basic documentation for configuring VTI tunnels. (avoid its customer base frustration with VTI deployment) .. Zyxel_Charlie ? 
    4. Also easily configured conversely for SITEA_LANx_SUBNET to SiteB_L2TP_SUBNET over same single VTI.

    HTH

    Warwick
    Hong Kong 





Security Highlight