Zyxel ATP500 ipsec: no inbound packets
Hello Zyxel Cracks!
I come from the Fortinet world and I'm stuck with a problem that I can't solve.
I have a Zyxel ATP 500 (5.32) and a Fortigate. I want to set up a site 2 site VPN between these 2 devices. So I have defined the gateway on the Zyxel and then the VPN Connection. The IPSEC tunnel is successfully established.
Now I ping from the Zywall side, I see the packet on the Fortigate: It is forwarded to the host, the ping reply comes in again and is packed into the tunnel again. Unfortunately, this packet never arrives on the Zywall; the inbound counter in the VPN monitor always remains zero. Nor can I ping from the Fortigate side, of course.
Firewall policies I have "any to ipsec_vpn" and "ipsec_vpn to lan1". A dialup tunnel, which is also in the ipsec_vpn zone, works fine.
What the heck did I miss???
Thanks for your help!
martin
0
Accepted Solution
-
0
All Replies
-
Out of the box, Zyxel security policies allow traffic from tunnel to LAN1 an viceversa. Also, UDP traffic on ports 500 and 4500 (IKE and NAT-T) is allowed to arrive "to zywall". However, if the WAN interface on Zyxel have a private IP Address, a port forward should be enabled on the ISP/Router device.Last but not least, triple check timeout, ciphers, and tunneling protocol. Sometimes Zyxel devices believe to have established tunnels, but that is not true; triggering down and up the gateway (reports error during disable but that's expected) might lead to a better reality responding situations.Useful questions:
Would you please add some more infos about the private subnets involved on both sides?
Which is the device that initiate the connection?
The Fortinet endpoint is connected on static and public IP address?
0 -
So the WAN interface of both firewalls have a Public IP. LAN on the Zyxel side is 192.168.37.0/24, on the Fortigate side 10.254.254.0/24.Here are the logs when I start the tunnel manually:Excitingly, shortly after, I see this entry in the log, where the Source is the Public IP of the Fortigate, and the Destination is the Public IP of the Zywall:
It doesn't matter who sets up the tunnel; the result is unfortunately the same.0 -
On both endpoints, the remote subnet is the only subnet in that address? (I mean, for the Zyxel as the example that there is no local subnet on interfaces, zones or vLAN which is the same of the remote network).As far as i know, only one side should be "entitled" dialing the other endpoint, avoiding simultaneous initiation of the tunnel.Moreover: the notice you find in log about Security policy control that is match the default means that all the rules written in Security Policy are not found useful for managing the connection => your current security policy rule is not correct.0
-
Hi @humschti,
According to your screenshot , the traffic is blocked by security policy.
Please kindly check you have the correct rule. (192.168.37.0/24 to10.254.254.0/24)
Thank you0 -
Thanks for your answers!I have the following 2 policies which I think allow packets from and to the LAN from the tunnel:
LAN1 contains the subnet 192.168.37.0/24, ipsec_vpn the tunnel I am trying to get running.0 -
Hi @humschti,
Please kindly send the configuration by private message.
I would check the IPsec and security policy settings.
Thank you
Kevin
0 -
0
-
Hello KevinThanks for the offer! Let me first check all other possibilities clean (ISP router etc). I'll be happy to get back to you once this is done.martin1
-
Kevin and his team have found the error: A deny firewall rule on the Zywall was blocking the remote ESP packets. An Allow rule from the remote site's WAN IP to the Zywall address object solved the problem.Thanks again Kevin for your help!!!1
-
Can you share that rule? thank you because we have the same problem0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight