Local network -> IPSec Tunnel -> L2TP Tunnel routing

Alexey_Sukhoruchenko
Alexey_Sukhoruchenko Posts: 4
First Comment Friend Collector
edited May 7 in Security

Good day!
The model of the problematic router is ZyWALL USG 300
There was a need to create such a chain.

The diagram shows the problem based on the logs

image.png

I tried to solve it in the following ways:
- Specify the Policy Route with the following setting:
Incoming: any
Source addr: 192.168.5.0/24
Dest addr: 192.168.127.0
Next-Hop: IPSec Tunnel

- Add a firewall rule:
From: LAN1
To: IPSec_VPN
Source addr: 192.168.5.0/24
Dest addr: 192.168.127.0/24
Service: any
Access: allow

Neither helped, only the enabled log in the dynamic route began to write when trying to ping 192.168.127.254 or the gateway in the 127 subnet: ICMP packets dropped. No rule found

I understand that traffic does not go beyond the gateway (192.168.5.200) and stops there

Question 1: What does zyxel mean by rules?
Question 2: How to solve the problem?

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 6

    Your diagram looks incorrect in places could you redo?

    would the routing rule

    Dest addr: 192.168.127.0

    be a /24

    is there more then one gateway in 192.168.5.0/24 ?

    this site to site? what are the local and remote policy?

  • Alexey_Sukhoruchenko
    Alexey_Sukhoruchenko Posts: 4
    First Comment Friend Collector
    https://community.zyxel.com/en/discussion/comment/65321#Comment_65321

    192.168.5.0 is local. 192.168.127.0 is remote. 192.168.110.0 - intermediate, where the main equipment is located. In 5.0, one gateway is 192.168.5.200. it is connected site to site with 192.168.110.0. in 110.0 there is a router connected via l2tp with 127.0. this router must be used as a gateway when accessing 127.0 from 5.0

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 6

    Your diagram is not clear where the USG are Its a bit of a art to interpreting ones diagram

    do you see ICMP on 192.168.127.254 by Wireshark?  

    do you have 192.168.127.0/24 on both USG?

  • Alexey_Sukhoruchenko
    Alexey_Sukhoruchenko Posts: 4
    First Comment Friend Collector
    https://community.zyxel.com/en/discussion/comment/65327#Comment_65327

    I have 127 policy on both USG. I have corrected the diagram, I hope it will be clearer

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 7

    Still some things unclear

    PC is 192.168.5.10 but what gateway does it use and USG300 is to that gateway?

    Are the Mikrotic routers or switches? guessing green is routers blue is switch?

    is the routing rule top of the list?

    on the USG100 can you ping 192.168.127.254 ?

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)