IPSec tunnel VLAN to VLAN

nielsscheldeman
nielsscheldeman Posts: 33  Freshman Member
First Anniversary 10 Comments Friend Collector
Hello,

I'm trying to set up an IPSec connection between only 2 VLAN's. The used firewall's are USG60 (Both behind NAT!).

I first created 2 VLAN's with DHCP enabled and they work fine. The devices behind it, are getting the correct IP.

After that  I've set up on both sides the gateways and VPN Connection with VTI.
After that the tunnel builds up succesfully.

In the last screenshots I set up the routing, but still it's impossible to ping the devices in each other network. Could someone tell me what I'm doing wrong? Or has it something to do with the NAT-T?

In the screenshots is the left side 1 site, and the right side is the other site.


All Replies

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Each USG60 VLAN subnet must not be the same and might you try site to site?

  • nielsscheldeman
    nielsscheldeman Posts: 33  Freshman Member
    First Anniversary 10 Comments Friend Collector
    PeterUK said:

    Each USG60 VLAN subnet must not be the same and might you try site to site?


    The VLAN's are different (192.168.81.0 and 192.168.82.0) I tried Site to site, but does only work for regular interfaces, not if you want to transfer only VLAN.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Site to site works with VLANs

    site A with 192.168.81.0/24

    local policy 192.168.81.0/24

    remote policy 192.168.82.0/24

    routing rule

    incoming interface

    member the VLAN

    destination 192.168.82.0/24

    next hop

    type VPN Tunnel

    VPN tunnel the zone for the tunnel


    site B with 192.168.82.0/24

    local policy 192.168.82.0/24

    remote policy 192.168.81.0/24

    routing rule

    incoming interface

    member the VLAN

    destination 192.168.81.0/24

    next hop

    type VPN Tunnel

    VPN tunnel the zone for the tunnel


    firewall rules:

    from WAN to Zywall protocol 50, UDP 500, 1701 and 4500

    One side will need port forwarding for protocol 50, UDP 500, 1701 and 4500 the other side nailed up.


  • CHS
    CHS Posts: 177  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    @nielsscheldeman what's firmware version are working on your device?
    You may capture packets on VTI interface to monitor the traffic status.

Security Highlight