NSG VPN VLAN no connection
Hi All,
I have configuration like below:
NSG200 as VPN HUB with LAN interface subnet 200.126.100.0/24 and VLAN 200.126.100.0/24.
SITE-TO-SITE connection with none-nebula peer with subnet 200.126.19.0/24.
The tunnel is running well, i can ping from 200.126.19.0/24 to 200.126.100.0/24 but can't reach VLAN 200.126.100.0/24.
I was trying with policy routes on both sides. It looks like VLAN routing works only with nebula devices as with the same configuration on nebula device I can easily reach VLANs.
0
All Replies
-
Hi @Lukasz ,
According to your description, there are things we would like to verify:- Do you select the "Use VPN" on LAN interface 200.126.100.0/24 of NSG200 on your site?(When enable Use VPN, NSG will create a hidden policy route, from your LAN interface to ANY via VPN tunnel)
- Does the policy route of the non-nebula device choose the right VPN tunnel?
- May I know what device is the non-nebula peer used? or it's a Nebula Gateway but in different Organization?
Adam0 - Do you select the "Use VPN" on LAN interface 200.126.100.0/24 of NSG200 on your site?(When enable Use VPN, NSG will create a hidden policy route, from your LAN interface to ANY via VPN tunnel)
-
1. Yes, I did. 200.126.100.0 is reachable over VPN.2. I have two policies on the non-nebula device, one for 200.126.100.0/24, second for 200.126.10.0/24 (I'm sorry, my mistake in the first post, VLAN is 200.126.10.0/24).2. Advantech ICR-160.
0 -
@Lukasz ,Your current configuration should be following:Site-to-Site is established successfully.
Device subnet:NSG200subnet-1: 200.126.10.0/24 (unreachable from ICR-160)subnet-2: 200.126.100.0/24(reachable from ICR-160, Use VPN selected)ICR-160subnet: 200.126.19.0/24Policy route:ICR-1601. Src-IP: 200.126.19.0/24 Dst-IP: 200.126.10.0/24 next-hop: VPN tunnel2. Src-IP: 200.126.19.0/24 Dst-IP: 200.126.100.0/24 next-hop: VPN tunnelPlease correct me if above information is wrong.
Question:
1. Do you enable Use VPN for subnet 200.126.10.0/24 of NSG200 as well?
(If so, but you still cannot ping from subnet 200.126.19.0/24 to 200.126.10.0/24. Please help us to enable Zyxel Support, which located at HELP > Support request page, and provide us your organization name so that we could have access to investigate the issue.)Adam0
Zyxel Employee
Categories
- All Categories
- 164 Beta Program
- 1.7K Nebula
- 86 Nebula Ideas
- 62 Nebula Status and Incidents
- 4.7K Security
- 236 Security Ideas
- 1.1K Switch
- 50 Switch Ideas
- 907 WirelessLAN
- 27 WLAN Ideas
- 5.3K Consumer Product
- 172 Service & License
- 294 News and Release
- 65 Security Advisories
- 14 Education Center
- 911 FAQ
- 399 Nebula FAQ
- 249 Security FAQ
- 90 Switch FAQ
- 100 WirelessLAN FAQ
- 18 Consumer Product FAQ
- 55 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 68 About Community
- 51 Security Highlight
