Issues with IPSec VPN over SSL VPN

teamprevent
teamprevent Posts: 2  Freshman Member
First Comment
edited April 2021 in Security
Hello everyone. 

My company has offices in different cities across the country, and we are using Zyxel solutions for our networking needs. 

We have recently purchased new Zywall USG1100 for our headquarters, replacing old Zywall USG200. In other offices we have various business routers (USG20, USG40W etc.). These routers are connected with USG1100 via IPSec VPN and everything is working just fine, as long as the employees are connected directly to our company's network. You can ping other routers, connect with shared network drives etc. 

The problem occurs when user is working remotely and is trying to connect to our network via SSL VPN.  After connecting with USG1100 via Zywall SecuExtender the user can only see the main router and network drives shared from headquarters. 

What's strange, immediately after the connection is established the user can ping other routers for a couple of seconds (usually 4-5 pings, followed by endless timeouts). 

What's even stranger, the problem occurs only on PCs running Windows - we also have a couple of MacBooks, and on macOS the problem is non-existent. 

When I was setting up new router I was looking at the configuration of USG200 the whole time to make sure everything will be fine and I don't miss anything in the process. When we were running on the old router we didn't experience any issues, the IPSec connections over SSL VPN worked just fine.

I tried to contact local Zyxel support, but in Poland "Zyxel support" is just one guy, and he didn't come up with anything useful. He noted one thing:  SSL VPN connections were using IP range from our main subnet. It was like that before and it worked, but I changed that anyway. 

The only result was that it also stopped working on macOS - I couldn't ping any other location with my new IP. 

Disabling policy control doesn't change anything, so it's not some firewall rules problem. 

Does anyone have any idea what might be causing the issue? 

Thank you in advance for any suggestions. I can provide screenshots of configuration if needed or anything else that might be useful. 

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    @Teamprevent,
    I am trying to build to lab to simulate this issue, but I am unable to reproduce it on local lab.
    Please send me USG-1100 and USG-200 configuration file by private message.
  • teamprevent
    teamprevent Posts: 2  Freshman Member
    First Comment
    Thank you, I've sent you a DM. 
  • [Deleted User]
    [Deleted User] Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    I am sorry to hear that the first contact was not as you wished for with our support..
    I hope that we can change this! Can you sent me your phonenumber or emailadress in a pm. I will get in contact wiith you as soon as possible then..

  • hello,

    i have the same problem, SSLVPN --> USG310 <-- IPSEC --> USG310

    Solution?

    Thanks.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @FBK_K9_IT
    Policy route is needed in this scenario.

    SSL VPN Client-------USG310#1=======[VPN]======USG310#2

    On USG310#1, Add policy route:


    On USG310#2, Add policy route:


Security Highlight