IPsec VPN "site to site" USG20<-> USG40

2

All Replies

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    VPN Connection, EXTERNAL OFFICE side. 
    Enable "Advanced" settings. Nailed Up is selected?
  • serverpal
    serverpal Posts: 29  Freshman Member
    First Comment Friend Collector Second Anniversary
    Hi,
    Error was in external zywall configuration.
    LAN3 had lan 192.168.8.1 (same HEADQUARTER 192.168.8.0/24).
    now I ping from external to headquarter and viceversa but not all ip.
    example:
    in HEADQUARTER there is:
    192.168.8.2
    192.168.8.7
    192.168.8.8
    ...

    from external office I ping .7 and .8 but not .2

    why?
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    What is 192.168.8.2?
  • serverpal
    serverpal Posts: 29  Freshman Member
    First Comment Friend Collector Second Anniversary
    192.168.8.2 is a iSeries Server (as400).
    from external office I can connect to headquarters by SSL secureextender client (usg40 HEADQUARTERS has SSL VPN configured), in secureextender insert HeadQuarters public IP, user and password and then get connection and I reach iSeries server by ping 192.168.8.2 but not with VPN IPSec site to site.
  • sadatvid
    sadatvid Posts: 1
    edited December 2021
    Please help to check if both USG security policy Wan to Device have service port NATT? [.](https://instasave.onl/) 
  • serverpal
    serverpal Posts: 29  Freshman Member
    First Comment Friend Collector Second Anniversary
    yes, USG HEAD and USG EXTERNAL have NATT in Wan to Zywall security policy
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    I am no expert at all of iSeries Server. Maybe there are some options on TCP/IP and firewall setting for allow connection from other subnets?
    Moreover: does your iSeries server has the gateway configured?
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Does 192.168.8.8 have ICMP allow on its firewall?

    Is the subnet at the other end really /24 ?


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @sadatvid,

    Does the USG40 have subnet 192.168.2.x/24?  we have default subnet 192.168.2.x/24 on LAN 2.
    It would have subnet overlapping with peer USG20 LAN IP.

    Default interface setting in USG.

  • serverpal
    serverpal Posts: 29  Freshman Member
    First Comment Friend Collector Second Anniversary
    Hi, thank you for your help.
    I can't solve connection to iSeries (AS400).
    If I use Zywall secuExtender client from pc into external office I can ping As400 and connect to terminal emulation (by client access emulator port 23 telnet).
    IPSec (Ikev1) works with all ip of HEADQUARTERS Lan but not with iSeries.
    what is the difference?

Security Highlight