USG60W site-to-site VPN behind a NAT router

packetflow76
packetflow76 Posts: 3
First Comment
edited April 2021 in Security
Hi everyone, 

using an USG60W I set up a site-to-site VPN, on the other side there's a Cisco ASA. 
VPN is working just fine. 

I was then asked to provide failover using a secondary router and I did it creating a 'trunk' with 'llf' algorithm. 
The trunk works great and when WAN 1 is unplugged WAN 2 comes up and we're able to navigate to the internet. 

WAN 1 has a public IP assigned while WAN 2 has a private IP and goes out to the internet
using a fiber router's public interface. 

Problem arises upon failover because the VPN's tunnel that worked using WAN 1 doesn't work when using WAN 2. 
All the IKE and IPSEC settings are the same between WAN 1 and 2 because when I defined VPN gateway I put 
'0.0.0.0' as 'my address' so the tunnel using whatever WAN is active in that moment. 

My idea of the problem is that in case of WAN 2 we're using a NAT router, that's the only difference I noticed. 
In the logs I can see the the IKEv2 connection attempt with the secure gateway on the other side and then I 
see 'peer not reachable' message but nothing more verbose; right now logs are in debug mode. 

I followed this tutorial 

and put NAT rule accordinly but that didn't help either. 

The fiber router has port forwarding for ports 500, 4500, 50 and 51 from its external interface to Zyxel's WAN 2

I even tried to disable the security policy but right now I ran out of ideas. 

On the Cisco ASA they see connection attempt and they also see the message 'failed to find a matching policy'. 


Any help is greatly appreciated. 

Thanks for your time.

Comments

Security Highlight