No traffic in VPN IPSec Site-to-Site
All Replies
-
The third party gave me instruction to use local policy 10.9.230.144/29 , while their local (my remote) is 172.16.0.0/12 ,
"as it is you can't source NAT /24 from /29 1:1 SNAT"
So what should I do in my case?
0 -
we don't know what IP from 10.9.230.145 – 10.9.230.150 they want you to source from try 10.9.230.145 as SNAT
0 -
Done, no change.
Let's filter out the possible issues, if I put a computer on 10.9.230.0/24 subnet I don't need a SNAT, correct?
0 -
you say its 10.9.230.144/29 255.255.255.248
so if you make a LAN subnet your side with that 10.9.230.145/29 and a PC on 10.9.230.146 you don't need SNAT in the tunnel and it should work
0 -
An update, I disabled the SNAT and Routing on the USG, put a pc on IP 10.9.230.146 and the VPN correctly works.
Now I would be curious to know why the routing from computers on 192.168.1.0/24 subnet doesn't work. If I keep these settings on the USG, but add on a linux pc this routing:
Destination Gateway Genmask Flags Metric Ref Use Iface172.16.0.0 10.9.230.254 255.240.0.0 UG 0 0 0 enp5s0Shouldn't I be able to connect?
0 -
Now I would be curious to know why the routing from computers on 192.168.1.0/24 subnet doesn't work.
Because the other end is expecting 10.9.230.145 – 10.9.230.150 when it see 192.168.1.0/24 it will get to its gateway and not down the tunnel.
so we now know 10.9.230.146 works so with SNAT by the VPN tunnel should work
0 -
It works!
Thanks a lot for your precious support.
0
Freshman Member
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
