USG40 IPSec VPN : some TCP protocols are blocked

flefebure
flefebure Posts: 9  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hi,
We have an  Ipsec Gateway is configured on a USG40W behind a VDSL router.

I connect to this VPN from an Ubuntu laptop with Shrew VPN client.
Many protocols have no problems, eg SSH, Telnet, HTTP/S over various ports, Mysql ..
But I have problems (connections hangs) with :
   Oracle databases (TCP1521)
   GIT server over SSH (SSH access to the server is OK)
   the USGW40 admin page (after login hangs on https://xxx.xxx.xxx.xxx:4443/cgi-bin/zysh-cgi)


Any idea?
Franck

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @flefabure,
    Once the VPN is established, the IP layer routing should be okay to forward the packets to Intranet.
    If it is fail on specific service port, it could be affect by security policy rule.
    Can you check the security rule log on USG. is there any packets blocking log?
  • flefebure
    flefebure Posts: 9  Freshman Member
    First Anniversary Friend Collector First Comment
    edited May 2018
    Hi @Zyxel_Cooldia, thanks for your answer,

    I meet the problems connected from my home's ADSL.
    Today I'm at the office, with the same laptop, so to answer your question, I try to reproduce the problem with theses steps :
      - disconnect laptop from the office's LAN
      - connect it to Internet through a 4G connection (with my mobile internet sharing)
      - mount the VPN
      - access one of the blocking resource.

    ==> They are now all accessibles ! problem seems gone.
    It's weird because when I'm at home the problem is totally reproducible

    So it doesn't look like a firewall problem. That sounds like something like MTU problem, or related (but I'm not a network specialist)

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @flefebure,
    Do you have packets capture on server side(Service side packets trace) when you use VPN to connect Oracle databases and GIT server from home?
    Just want to confirm does the server receive the specific port connection packets from VPN client.


Security Highlight