Can't Access Opposite Web Interface Across Site-to-Site VPN
All Replies
-
Hi @NEP
In VPN tunnel, "Don't Fragment" flag is enable. If VPN MSS size is less than HTTPS required then will connection will fail.(but ICMP still available)
It is reason why "ignore "Don't Fragment" setting in IPv4 header" is enabled in default setting.
If your connection doesn't work after enabling the setting, then we may need check the issue by remote access connection.
0 -
Sound like a firewall policy to adjust to me...
0 -
Hi @NEPPlease try to add an additional route:
Network > Routing > Static Route > Add:
Destination IP: 192.168.X.0 (Remote Subnet ; same like Remote Policy at VPN Phase2)
Subnet Mask: 255.255.255.0 (Mask of remote Subnet)
Interface: lan1 (your local Interface)The cause of the problem is, that the target firewall send the traffic back over "defaut gateway" and ignores the policy route. You can see this if you create a trace on the target firewall.Please let me know if this works.Mario
0 -
@Zyxel_Stanley On both sides of the tunnel, I unchecked the "dynamic IPSEC rules" box and checked "Ignore Don't Fragment" but there is no change. Still no access. You mentioned ICMP, just to be clear, I can access and ping all devices on each network (that are set up to respond), except for the ZyWALL at each site (192.168.x.1).SiteA
Routing
Incoming - Any (excluding ZyWALL)
Destination - vpn20 (192.168.20.0/24)
Next-Hop - vpn20
Policy Control
From - vpn20
To - ZyWALL
Any
SiteB
Routing
Incoming - Any (excluding ZyWALL)
Destination - vpn10 (192.168.10.0/24)
Next-Hop - vpn10
Policy Control
From - vpn10
To - ZyWALL
Any
Both sites have the policies listed above as their first entry. These policies are logged and I see that the traffic is forwarded to the ZyWALL. It seems like packets are getting to each ZyWALL from the other side, but it doesn't know how to send them back. @PeterUK mentioned in his post that Incoming be set to the interface. Could this be the issue? I tried adding another route with the interface set but it didn't work either.
Is there anything else that could cause this issue? If I were to turn Policy Control off at both sites, should I have access to each site's ZyWALL with just the Routing rule? Or some way to track it with logs? I just don't understand why the traffic shows as forwarded in the logs but access doesn't work.
@mMontana When you say firewall policy, you are just referring to an entry in Policy Control correct?0 -
Hi @NEP,
Add these policy routes for ZyWALL to ZyWALL through policy-base IPSec VPN.
SiteA
Routing
Incoming - ZyWALL
Destination - vpn20 (192.168.20.0/24)
Next-Hop - vpn20
SiteB
Routing
Incoming - ZyWALL
Destination - vpn10 (192.168.10.0/24)
Next-Hop - vpn10
0 -
In VPN connection for the VPN check under the Related Settings what zone is set.
0 -
Thank you very much everyone! The issue is now fixed. Part of the issue was as @zyman2008 had said. There was no policy route configured for the ZyWALL back to the "requesting" IP. The other issue was that we have a VLAN at one site and not the other. I was using the wrong routing destination (ie. the site's subnet, as opposed to the VLAN I was on). Simple things :-( Anyway, thank you again.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight