Zyxel ATP500 ipsec: no inbound packets

Hello Zyxel Cracks!

I come from the Fortinet world and I'm stuck with a problem that I can't solve.

I have a Zyxel ATP 500 (5.32) and a Fortigate. I want to set up a site 2 site VPN between these 2 devices. So I have defined the gateway on the Zyxel and then the VPN Connection. The IPSEC tunnel is successfully established.

Now I ping from the Zywall side, I see the packet on the Fortigate: It is forwarded to the host, the ping reply comes in again and is packed into the tunnel again. Unfortunately, this packet never arrives on the Zywall; the inbound counter in the VPN monitor always remains zero. Nor can I ping from the Fortigate side, of course.

Firewall policies I have "any to ipsec_vpn" and "ipsec_vpn to lan1". A dialup tunnel, which is also in the ipsec_vpn zone, works fine.

What the heck did I miss???

Thanks for your help!
martin

Accepted Solution

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @humschti
    The configuration looks well.
    May we have remote session to check the issue ?
    Kevin
«1

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2022
    Out of the box, Zyxel security policies allow traffic from tunnel to LAN1 an viceversa. Also, UDP traffic on ports 500 and 4500 (IKE and NAT-T) is allowed to arrive "to zywall". However, if the WAN interface on Zyxel have a private IP Address, a port forward should be enabled on the ISP/Router device.
    Last but not least, triple check timeout, ciphers, and tunneling protocol. Sometimes Zyxel devices believe to have established tunnels, but that is not true; triggering down and up the gateway (reports error during disable but that's expected) might lead to a better reality responding situations.
    Useful questions:
    Would you please add  some more infos about the private subnets involved on both sides?
    Which is the device that initiate the connection?
    The Fortinet endpoint is connected on static and public IP address?

  • So the WAN interface of both firewalls have a Public IP. LAN on the Zyxel side is 192.168.37.0/24, on the Fortigate side 10.254.254.0/24.

    Here are the logs when I start the tunnel manually:


    Excitingly, shortly after, I see this entry in the log, where the Source is the Public IP of the Fortigate, and the Destination is the Public IP of the Zywall:


    It doesn't matter who sets up the tunnel; the result is unfortunately the same. 
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    On both endpoints, the remote subnet is the only subnet in that address? (I mean, for the Zyxel as the example that there is no local subnet on interfaces, zones or vLAN which is the same of the remote network).
    As far as i know, only one side should be "entitled" dialing the other endpoint, avoiding simultaneous initiation of the tunnel.
    Moreover: the notice you find in log about Security policy control that is match the default means that all the rules written in Security Policy are not found useful for managing the connection => your current security policy rule is not correct.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @humschti
    According to your screenshot , the traffic is blocked by security policy.
    Please kindly check you have the correct rule. (192.168.37.0/24 to10.254.254.0/24)
    Thank you
  • Thanks for your answers!

    I have the following 2 policies which I think allow packets from and to the LAN from the tunnel:


    LAN1 contains the subnet 192.168.37.0/24, ipsec_vpn the tunnel I am trying to get running.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @humschti
    Please kindly send the configuration by private message. 
    I would check the IPsec and security policy settings. 
    Thank you
    Kevin

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @humschti
    The configuration looks well.
    May we have remote session to check the issue ?
    Kevin
  • Hello Kevin

    Thanks for the offer! Let me first check all other possibilities clean (ISP router etc). I'll be happy to get back to you once this is done.

    martin
  • Kevin and his team have found the error: A deny firewall rule on the Zywall was blocking the remote ESP packets. An Allow rule from the remote site's WAN IP to the Zywall address object solved the problem.

    Thanks again Kevin for your help!!!

  • Can you share that rule? thank you because we have the same problem

Security Highlight