Can't Access Opposite Web Interface Across Site-to-Site VPN

2»

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @NEP
    In VPN tunnel, "Don't Fragment" flag is enable. If VPN MSS size is less than HTTPS required then will  connection will fail.(but ICMP still available)
    It is reason why "ignore "Don't Fragment" setting in IPv4 header" is enabled in default setting.

    If your connection doesn't work after enabling the setting, then we may need check the issue by remote access connection. :)
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Sound like a firewall policy to adjust to me...
  • Mario
    Mario Posts: 106  Ally Member
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
    Hi @NEP

    Please try to add an additional route:

    Network > Routing > Static Route > Add:

    Destination IP: 192.168.X.0 (Remote Subnet ; same like Remote Policy at VPN Phase2)

    Subnet Mask: 255.255.255.0 (Mask of remote Subnet)

    Interface: lan1 (your local Interface)


    The cause of the problem is, that the target firewall send the traffic back over "defaut gateway" and ignores the policy route. You can see this if you create a trace on the target firewall.
    Please let me know if this works.
    Mario

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    edited October 2022
    @Zyxel_Stanley On both sides of the tunnel, I unchecked the "dynamic IPSEC rules" box and checked "Ignore Don't Fragment" but there is no change. Still no access. You mentioned ICMP, just to be clear, I can access and ping all devices on each network (that are set up to respond), except for the ZyWALL at each site (192.168.x.1).

    SiteA
      
    Routing
        Incoming - Any (excluding ZyWALL)
        Destination - vpn20 (192.168.20.0/24)
        Next-Hop - vpn20
      Policy Control
        From - vpn20
        To - ZyWALL
        Any

    SiteB
      Routing
        Incoming - Any (excluding ZyWALL)
        Destination - vpn10 (192.168.10.0/24)
        Next-Hop - vpn10
      Policy Control
        From - vpn10
        To - ZyWALL
        Any

    Both sites have the policies listed above as their first entry. These policies are logged and I see that the traffic is forwarded to the ZyWALL. It seems like packets are getting to each ZyWALL from the other side, but it doesn't know how to send them back. @PeterUK mentioned in his post that Incoming be set to the interface. Could this be the issue? I tried adding another route with the interface set but it didn't work either.

    Is there anything else that could cause this issue? If I were to turn Policy Control off at both sites, should I have access to each site's ZyWALL with just the Routing rule? Or some way to track it with logs? I just don't understand why the traffic shows as forwarded in the logs but access doesn't work.

    @mMontana When you say firewall policy, you are just referring to an entry in Policy Control correct?
  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited October 2022 Answer ✓
    Hi @NEP,
    Add these policy routes for ZyWALL to ZyWALL through policy-base IPSec VPN.
    SiteA
      
    Routing
        Incoming - ZyWALL
        Destination - vpn20 (192.168.20.0/24)
        Next-Hop - vpn20

    SiteB
      Routing
        Incoming - ZyWALL
        Destination - vpn10 (192.168.10.0/24)
        Next-Hop - vpn10

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    @NEP I am referring to security policy.
  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    In VPN connection for the VPN check under the Related Settings what zone is set.


  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    Answer ✓
    Thank you very much everyone! The issue is now fixed. Part of the issue was as @zyman2008 had said. There was no policy route configured for the ZyWALL back to the "requesting" IP. The other issue was that we have a VLAN at one site and not the other. I was using the wrong routing destination (ie. the site's subnet, as opposed to the VLAN I was on). Simple things :-( Anyway, thank you again.

Security Highlight