We changed the WAN IP on our USG200 site today. I thought I just needed to change the IP in the VPN configuration on both ends and it would work. For our other Site2Site VPN between two USG200s, this has worked. But the connection between the USG60 (site handle "LHS") and USG200 (site handle "MOL") do seem to connect as the icons show a "connected" status, but the USG200 is not receiving any packages from the USG60 (other direction lists traffic … see screenshot below). Regardless, the USG60 can not ping servers in the USG200 network anymore since the change. I'll drop a couple of details following. Here are the USG60 "LHS" gateway settings: Here are the USG60 "LHS" connection settings: Here are the USG200 "MOL" gateway settings Here are the USG200 "MOL" connection settings In the VPN monitor, the USG60 lists sent and received packages. Additionally, this connection has a greyed out "Connection Check" button. In the VPN monitor of the USG200, it only lists sent packages but no received packages. The "Connection Check" button is working here, but I am getting a timeout. Both show uptimes that are basically identical, making me think that the connection itself works. I checked the PSKs and the respective WAN IPs, of course, and they seem to match. Curiously, the USG60 has a working VPN connection to our other office, which is also a USG200 (but the IP didn't change there). The settings for both connections are identical, aside from the different WAN targets and subnets at the target site. The IKE logs show correct key handshakes. No errors in the IPsec logs, which I really do not understand. I must be missing something, but I can't figure out what. Anyone have any pointers?

Its sad that an ISP only thinks there are three protocols one uses 1, 6 and 17 and forgets 50 and 47😞 If you put one end behind a NAT router then that should work to use UDP port 4500 (protocols 17).

Okay these seem to have been transient issues. I restarted the USSG60 once again between my last post and now (it was restarted before my last post) without any configuration changes and it works now. Key handshake runs on USP4500 now as expected. All other stages of the VPN work. I think my USG 60 at the branch office had some latent borked configuration. After the first reboot, some changes from the past few months (without reboots) were gone. Nothing too major, but odd nevertheless. Good thing we are switching to a newer USG200 here soon. Special thanks to PeterUK who brought me on the right track.

No putting one behind NAT will use port 4500 as the tunnel port 500 is used for exchange keys Can you check by packet capture on the USG you are sending and receiving either 4500 or protocol 50 when sending ping its also possible your ISP beyond support knows nothing of the block and just tell you ESP is not blocked Edit: I see its all working😁

/* * These styles apply ONLY to the header and footer assets. */ * { padding: 0; margin: 0; box-sizing: border-box; } .footer { background: #545454; color: #cdcdcd; font-size: 14px; line-height: 1.5; padding: 18px 0; } .footer-wrap { padding-left: 18px; padding-right: 18px; max-width: 1236px; margin: 0 auto; } .footer a { color: #cdcdcd; text-decoration: none; } .footer a:hover { color: #cdcdcd; text-decoration: none; } .footer-row { display: flex; flex-wrap: wrap; justify-content: space-between; align-items: center; margin: -3px; } .footer-col { padding: 0 3px; } .footer-col-copyRight { justify-content: flex-start; } .footer-col-logo { justify-content: flex-end; } .footer-col-logo a { margin-right: 10px; } .footer-col-copyRight, .footer-col-logo { flex: 1; display: flex; } .logo { width: 120px; height: 28px; opacity: 0.6; } @media screen and (max-width: 768px) { .footer-row { display: block; } .footer-col { width: 100%; text-align: center; margin: 6px 0; } .footer-col:first-child { margin-top: 0; } .footer-col:last-child { margin-bottom: 0; } .footer-col-copyRight, .footer-col-logo { justify-content: center; } .logo { margin: 0 auto; } } /*# sourceMappingURL=styles.css.map */ <iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KSB6LQH" height="0" width="0" style="display:none;visibility:hidden"></iframe>

USG60 <> USG200 Site2Site VPN stopped working after WAN IP change

Security Highlight

Security Help Center

EnglishTiếng ViệtРусскийไทย中文（台灣）

/* * These styles apply ONLY to the header and footer assets. */ * { padding: 0; margin: 0; box-sizing: border-box; } .footer { background: #545454; color: #cdcdcd; font-size: 14px; line-height: 1.5; padding: 18px 0; } .footer-wrap { padding-left: 18px; padding-right: 18px; max-width: 1236px; margin: 0 auto; } .footer a { color: #cdcdcd; text-decoration: none; } .footer a:hover { color: #cdcdcd; text-decoration: none; } .footer-row { display: flex; flex-wrap: wrap; justify-content: space-between; align-items: center; margin: -3px; } .footer-col { padding: 0 3px; } .footer-col-copyRight { justify-content: flex-start; } .footer-col-logo { justify-content: flex-end; } .footer-col-logo a { margin-right: 10px; } .footer-col-copyRight, .footer-col-logo { flex: 1; display: flex; } .logo { width: 120px; height: 28px; opacity: 0.6; } @media screen and (max-width: 768px) { .footer-row { display: block; } .footer-col { width: 100%; text-align: center; margin: 6px 0; } .footer-col:first-child { margin-top: 0; } .footer-col:last-child { margin-bottom: 0; } .footer-col-copyRight, .footer-col-logo { justify-content: center; } .logo { margin: 0 auto; } } /*# sourceMappingURL=styles.css.map */

USG60 <> USG200 Site2Site VPN stopped working after WAN IP change

Categories

Security Highlight

Security Help Center