Site to Site VPN connection established, but no traffic

Options
Garrett
Garrett Posts: 6
edited April 2021 in Security
Hi there, my case is as follows,
Company has static IP, Zyxel USG50  (+ branch with static IP and USG60, sito to site working reliably)
Home: I bought LTE7240-M403 and used a discarded USG50 to make a network at home to connect my company Lan. I studied the previous configuration between company and it's branch and was able to connect the IPsec VPN link between home and company, but no traffic. I then switched configurations with LTE7240 (Switched from IP Passthrough to Router mode) and made new VPN connections with the quick wizard and again the tunnel was created but no traffic. I have checked and double-checked the routing and firewall policies, but no banana. Firewall rules allow traffic from Ipsec tunnels to Any(but zywall) and another for zywall. Routing is from lan1 , source: local-ip-range/24, destination: remote-ip-range/24, next hop is the correct tunnel.
Home:                                                   10.10.13.1| Dyn Out                                  Fixed IP|10.10.15.1
Home Lan========= USG50 ==== LTE7240 ===== (Internet) ===== USG50 ==== Co Lan
10.10.14.0/24   10.10.14.1| 10.10.13.2                                                                                               10.10.15.0/24
If I have the tunnel up, then I don't have to worry about the settings on LTE7240 (Currently without firewall), right?
What am I missing here? No NAT rules defined, in my understanding I don't need any(The site to site tunnel to branch works without)



#Biz_Jan_2020

All Replies

  • Mijzelf
    Mijzelf Posts: 2,605  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    The subnet at the inside of the LTE7240 is not shorter than 24 bits?
  • Garrett
    Garrett Posts: 6
    Options
    Thank you for the reply,
    The subnet is 24 bits in the LTE7240.  (10.10.13.1, mask 255.255.255.0) I guess if it would be shorter then the traffic could be sent to LTE router instead of the tunnel? Is that what you were thinking?

  • Garrett
    Garrett Posts: 6
    edited January 2020
    Options
    I did manage to find an error in the order of the route policies on the home USG50. Now I can ping Company's router and one device on the network that is not that picky about pings. (Receipt printer)  However pinging from company's computer (Windows or Linux) will not go through to home network. Also attempts to connect to http servers at company fails.
  • Garrett
    Garrett Posts: 6
    Options
    Update: I have tried to make a VPN tunnel between home (USG50) and the branch (USG60) and everything works. I can probable live with that, since there are vacant IP numbers available for the branch also.(*)
    But even when I delete all the entries from both USG50 (home and company) and build new tunnel from scratch - doesn't work. I can only ping the company network and can connect to USG50 control panel from home - but I cannot ssh nor http to the company web server. All connection efforts from company to home is lost.  ping, http, ssh... They all work from the branch office.
    (*) I still have to learn the routing and firewall mechanism, that will redirect http requests from one IP to the tunnel and to the server I have at home, any helpers?
    Web request                      branch router                                      home router      home server
    http://192.34.IP.XXX  ----> USG 60  ---> VPN Tunnel  ---> USG50  --> local:10.10.14.9

  • Wiasouda
    Wiasouda Posts: 156  Master Member
    Options
    Hi @Garrett,

    If you have the problem or question on USG50, I recommend you to post it on ZyWALL USG Series of Zyxel Biz Forum for better assistance.
    https://businessforum.zyxel.com/categories/security-zywall-usg-series

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)