No traffic in VPN IPSec Site-to-Site

DW_Informatica · April 30

The third party gave me instruction to use local policy 10.9.230.144/29 , while their local (my remote) is 172.16.0.0/12 ,

@PeterUK

"as it is you can't source NAT /24 from /29 1:1 SNAT"

So what should I do in my case?

mMontana · April 30

@PeterUK thanks for correcting me.

PeterUK · April 30

we don't know what IP from 10.9.230.145 – 10.9.230.150 they want you to source from try 10.9.230.145 as SNAT

DW_Informatica · April 30

https://community.zyxel.com/en/discussion/comment/65105#Comment_65105

Done, no change.

Let's filter out the possible issues, if I put a computer on 10.9.230.0/24 subnet I don't need a SNAT, correct?

PeterUK · April 30

you say its 10.9.230.144/29 255.255.255.248

so if you make a LAN subnet your side with that 10.9.230.145/29 and a PC on 10.9.230.146 you don't need SNAT in the tunnel and it should work

DW_Informatica · May 13

An update, I disabled the SNAT and Routing on the USG, put a pc on IP 10.9.230.146 and the VPN correctly works.

Now I would be curious to know why the routing from computers on 192.168.1.0/24 subnet doesn't work. If I keep these settings on the USG, but add on a linux pc this routing:

Destination Gateway Genmask Flags Metric Ref Use Iface

172.16.0.0 10.9.230.254 255.240.0.0 UG 0 0 0 enp5s0

Shouldn't I be able to connect?

PeterUK · May 13

Now I would be curious to know why the routing from computers on 192.168.1.0/24 subnet doesn't work.

Because the other end is expecting 10.9.230.145 – 10.9.230.150 when it see 192.168.1.0/24 it will get to its gateway and not down the tunnel.

so we now know 10.9.230.146 works so with SNAT by the VPN tunnel should work

DW_Informatica · May 14

It works!

Thanks a lot for your precious support.

No traffic in VPN IPSec Site-to-Site

All Replies

Categories

Security Highlight

Security Help Center