Site2Site VPN Routing not working (USG60 to USG60)

stephan
stephan Posts: 15  Freshman Member
I am trying to integrate our branch office into our network.
For this I set up a Site2Site VPN between the two USG60 devices (one on each end).
This Site2Site VPN works (at least it is listed as "connected").

However, I can not reach resources in the HQ network from the branch network (assuming vice-versa, but not tested).
Here is what I have:
When trying to ping 10.0.0.X from a 192.168.178.X address, it doesn't work.
So I created 2 policy routes.
One at the branch
One at the HQ
I thought this was all I need, but I am still unable to reach any device in the HQ network from the branch.
I even checked the security policies, but nothing stands out there as being disallowed.

I am probably missing something elemental. But since I am not a trained network engineer, I am stuck right now.

Answers

  • mMontana
    mMontana Posts: 428  Master Member
    Is any of the subnets you're using for LAN1 of HQ and Branch are used in other settings?
    You can check into the objects of the firewall.
  • stephan
    stephan Posts: 15  Freshman Member
    On Branch side, LAN1 subnet is only referenced in the VPN connection and the policy route I mentioned above.

    On HQ side, LAN1 subnet has more references besides that:

    * A policy route directing traffic from on of our WAN IPs to our mail server (though LAN1 subnet doesn't appear explicitly in the settings there?)
    * A policy route for the L2TP IPsec VPN we have running on HQ
    * A policy route directing WINS traffic from our L2TP IPsec VPN to our internal WINS server

    See screenshot.
    https://i.imgur.com/43vv5Nr.jpeg

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 200  Zyxel Employee

    Hi @stephan

    Can you provide those two USG60(HQ and branch sites) config files to us via private message?
    We can help to check on your settings.

  • stephan
    stephan Posts: 15  Freshman Member
    edited October 27

    Hi @stephan

    Can you provide those two USG60(HQ and branch sites) config files to us via private message?
    We can help to check on your settings.

    I sent the cfgs to your account via PN.
    Any Idea in what direction I can start debugging troubleshoot in the meantime?


    /edit: sry for my wording with debugging. This is most probably NOT a bug. Updated the post with more accurate language.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 200  Zyxel Employee

    We applied your configs and found HQ subnet IP(10.0.0.2) can ping to the branch site subnet IP(192.168.178.101). Can you check whether your branch site 192.168.178.X domain's PC windows firewall is disabled?

  • stephan
    stephan Posts: 15  Freshman Member
    Sorry if I was confusing.
    Last time I was at the branch office and tried to ping a server in the HQ network, which didn't work.
    The machine I tried to ping was a Linux server that should respond to pings and does so when pinged from the HQ network.

    I will try pinging a machine from HQ to branch now and get back to you with details.

  • stephan
    stephan Posts: 15  Freshman Member
    edited November 2
    A Ping from HQ to branch indeed works. But pings from branch to HQ don't:

    Pings in HQ:
    C:\Users\hq-pc>ping 192.168.178.1<br><br>Ping wird ausgeführt für 192.168.178.1 mit 32 Bytes Daten:<br>Antwort von 192.168.178.1: Bytes=32 Zeit=16ms TTL=61<br>Antwort von 192.168.178.1: Bytes=32 Zeit=18ms TTL=61<br>Antwort von 192.168.178.1: Bytes=32 Zeit=15ms TTL=61<br>Antwort von 192.168.178.1: Bytes=32 Zeit=14ms TTL=61<br><br>Ping-Statistik für 192.168.178.1:<br>    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0<br>    (0% Verlust),<br>Ca. Zeitangaben in Millisek.:<br>    Minimum = 14ms, Maximum = 18ms, Mittelwert = 15ms<br><br>C:\Users\hq-pc>ping 10.0.0.21<br><br>Ping wird ausgeführt für 10.0.0.21 mit 32 Bytes Daten:<br>Antwort von 10.0.0.21: Bytes=32 Zeit<1ms TTL=64<br>Antwort von 10.0.0.21: Bytes=32 Zeit<1ms TTL=64<br><br>Ping-Statistik für 10.0.0.21:<br>    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0<br>    (0% Verlust),<br>Ca. Zeitangaben in Millisek.:<br>    Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms<br>STRG-C<br>^C

    Pings in branch:
    C:\Users\branch-pc>ping 192.168.178.1 -t<br><br>Ping wird ausgeführt für 192.168.178.1 mit 32 Bytes Daten:<br>Antwort von 192.168.178.1: Bytes=32 Zeit<1ms TTL=64<br>Antwort von 192.168.178.1: Bytes=32 Zeit<1ms TTL=64<br><br>Ping-Statistik für 192.168.178.1:<br>    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0<br>    (0% Verlust),<br>Ca. Zeitangaben in Millisek.:<br>    Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms<br><br>C:\Users\branch-pc>ping 10.0.0.21<br><br>Ping wird ausgeführt für 10.0.0.21 mit 32 Bytes Daten:<br>Zeitüberschreitung der Anforderung.<br><br>Ping-Statistik für 10.0.0.21:<br>    Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1<br>    (100% Verlust),

    Why does it work in one way, but not the other way around?


    /edit: I again checked the policy routs on both USG60s and the active policy routes actually concern traffic from branch to HQ (outgoing on branch USG60 and incoming at HQ USG60). So I don't understand why HQ can even get into branch when there is no policy route for that currently active.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 200  Zyxel Employee

    Hi @stephan

    The reason why the branch site can’t ping to HQ site is the packet be dropped by branch site's default rule, you can check those logs message as below:

    Monitor > Log  >View Log



    You can set a security policy on the branch site, from LAN1 to any as below:



    Then you can ping successfully from LAN1 IP(192.168.178.100) of branch site to LAN1 IP(10.0.0.2) of HQ :)



  • stephan
    stephan Posts: 15  Freshman Member
    I'll try that tomorrow at the latest and report back with findings.
  • warwickt
    warwickt Posts: 107  Ally Member
    G'day Stephan, I suggest you look at implementing a (series of) VTI connection(s) between your USG60 hosts with some basic policy routes (or OSPF with multiple routers).

    Its very straight forward..

    Search these forums: I had a few posts out there however, better, well known forum member  PeterUK had a few in the day.

    When you get it up implement OSPF should you have more than 2 (>2) in USG's in the VTI configs.. as well and then no need for Policy Routes.

    We have clients with several office/studio networked together like this.... as well as oursleves.. 

    TIPs-la:
    • don't bugger with the 'Zyxel Wizard" , (not so helpful for some)
    •  instead manually set the Configuration/ VPN Gateways their VPN Connections  to a public domain/host (use No-IP if or some ddns) using the UI or cli 
    •  then  lastly the Configuration/Networks/VTI / tunnel on each router to talk and them naturally... 
    • important: use the two USG60's logging for errors ( filter IKE) .. enable system logging to view in the UI
    • configure local zyxel DNS's and and use the domain fowarding carefully....
    Zyxel have made this rather nice.

    Good work you Zyxel TW blokes!


    Works great.

    IF you are lost , post .post post 

    HTH
    Warwick 
    Hong Kong

Security Highlight