Issues with IPSec VPN over SSL VPN
teamprevent
Posts: 2 Freshman Member
Hello everyone.
My company has offices in different cities across the country, and we are using Zyxel solutions for our networking needs.
We have recently purchased new Zywall USG1100 for our headquarters, replacing old Zywall USG200. In other offices we have various business routers (USG20, USG40W etc.). These routers are connected with USG1100 via IPSec VPN and everything is working just fine, as long as the employees are connected directly to our company's network. You can ping other routers, connect with shared network drives etc.
The problem occurs when user is working remotely and is trying to connect to our network via SSL VPN. After connecting with USG1100 via Zywall SecuExtender the user can only see the main router and network drives shared from headquarters.
What's strange, immediately after the connection is established the user can ping other routers for a couple of seconds (usually 4-5 pings, followed by endless timeouts).
What's even stranger, the problem occurs only on PCs running Windows - we also have a couple of MacBooks, and on macOS the problem is non-existent.
When I was setting up new router I was looking at the configuration of USG200 the whole time to make sure everything will be fine and I don't miss anything in the process. When we were running on the old router we didn't experience any issues, the IPSec connections over SSL VPN worked just fine.
I tried to contact local Zyxel support, but in Poland "Zyxel support" is just one guy, and he didn't come up with anything useful. He noted one thing: SSL VPN connections were using IP range from our main subnet. It was like that before and it worked, but I changed that anyway.
The only result was that it also stopped working on macOS - I couldn't ping any other location with my new IP.
Disabling policy control doesn't change anything, so it's not some firewall rules problem.
Does anyone have any idea what might be causing the issue?
Thank you in advance for any suggestions. I can provide screenshots of configuration if needed or anything else that might be useful.
My company has offices in different cities across the country, and we are using Zyxel solutions for our networking needs.
We have recently purchased new Zywall USG1100 for our headquarters, replacing old Zywall USG200. In other offices we have various business routers (USG20, USG40W etc.). These routers are connected with USG1100 via IPSec VPN and everything is working just fine, as long as the employees are connected directly to our company's network. You can ping other routers, connect with shared network drives etc.
The problem occurs when user is working remotely and is trying to connect to our network via SSL VPN. After connecting with USG1100 via Zywall SecuExtender the user can only see the main router and network drives shared from headquarters.
What's strange, immediately after the connection is established the user can ping other routers for a couple of seconds (usually 4-5 pings, followed by endless timeouts).
What's even stranger, the problem occurs only on PCs running Windows - we also have a couple of MacBooks, and on macOS the problem is non-existent.
When I was setting up new router I was looking at the configuration of USG200 the whole time to make sure everything will be fine and I don't miss anything in the process. When we were running on the old router we didn't experience any issues, the IPSec connections over SSL VPN worked just fine.
I tried to contact local Zyxel support, but in Poland "Zyxel support" is just one guy, and he didn't come up with anything useful. He noted one thing: SSL VPN connections were using IP range from our main subnet. It was like that before and it worked, but I changed that anyway.
The only result was that it also stopped working on macOS - I couldn't ping any other location with my new IP.
Disabling policy control doesn't change anything, so it's not some firewall rules problem.
Does anyone have any idea what might be causing the issue?
Thank you in advance for any suggestions. I can provide screenshots of configuration if needed or anything else that might be useful.
0
Comments
-
@Teamprevent,
I am trying to build to lab to simulate this issue, but I am unable to reproduce it on local lab.
Please send me USG-1100 and USG-200 configuration file by private message.0 -
Thank you, I've sent you a DM.0
-
Dear @teampreventI am sorry to hear that the first contact was not as you wished for with our support..I hope that we can change this! Can you sent me your phonenumber or emailadress in a pm. I will get in contact wiith you as soon as possible then..
0 -
hello,
i have the same problem, SSLVPN --> USG310 <-- IPSEC --> USG310
Solution?
Thanks.0 -
Hi @FBK_K9_IT
Policy route is needed in this scenario.SSL VPN Client-------USG310#1=======[VPN]======USG310#2
On USG310#1, Add policy route:
On USG310#2, Add policy route:
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 251 USG FLEX H Series
- 270 Security Ideas
- 1.4K Switch
- 72 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight