Local network -> IPSec Tunnel -> L2TP Tunnel routing

Alexey_Sukhoruchenko
edited May 7 in Security

Good day!
The model of the problematic router is ZyWALL USG 300
There was a need to create such a chain.

The diagram shows the problem based on the logs

I tried to solve it in the following ways:
- Specify the Policy Route with the following setting:
Incoming: any
Source addr: 192.168.5.0/24
Dest addr: 192.168.127.0
Next-Hop: IPSec Tunnel

- Add a firewall rule:
From: LAN1
To: IPSec_VPN
Source addr: 192.168.5.0/24
Dest addr: 192.168.127.0/24
Service: any
Access: allow

Neither helped, only the enabled log in the dynamic route began to write when trying to ping 192.168.127.254 or the gateway in the 127 subnet: ICMP packets dropped. No rule found

I understand that traffic does not go beyond the gateway (192.168.5.200) and stops there

Question 1: What does zyxel mean by rules?
Question 2: How to solve the problem?

All Replies

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 6

    Your diagram looks incorrect in places could you redo?

    would the routing rule

    Dest addr: 192.168.127.0

    be a /24

    is there more then one gateway in 192.168.5.0/24 ?

    this site to site? what are the local and remote policy?

  • 192.168.5.0 is local. 192.168.127.0 is remote. 192.168.110.0 - intermediate, where the main equipment is located. In 5.0, one gateway is 192.168.5.200. it is connected site to site with 192.168.110.0. in 110.0 there is a router connected via l2tp with 127.0. this router must be used as a gateway when accessing 127.0 from 5.0

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 6

    Your diagram is not clear where the USG are Its a bit of a art to interpreting ones diagram

    do you see ICMP on 192.168.127.254 by Wireshark?  

    do you have 192.168.127.0/24 on both USG?

  • I have 127 policy on both USG. I have corrected the diagram, I hope it will be clearer

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 7

    Still some things unclear

    PC is 192.168.5.10 but what gateway does it use and USG300 is to that gateway?

    Are the Mikrotic routers or switches? guessing green is routers blue is switch?

    is the routing rule top of the list?

    on the USG100 can you ping 192.168.127.254 ?

Security Highlight