FLEX100H: Traffic from Zywall not go through Policy-based IPsec VPN

2»

All Replies

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 1

    Unsure why their is a problem, someone else might know and look into this for you

  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    Peter thank you.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @szn,

    Could you help to clarify:

    1. Does the server receive packets from the firewall? Could you use wireshark or tcpdump on your server to check it?

    Zyxel Melen


  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    Hi,

    will try to describe the issue better:

    configuration (IPsec VPN created using wizzard)

    What is working, where is issue:

    a) from Server1: ping Server2 OK (over IPsec)

    b) from Server1: ping Zyxel2 (LANport 192.168.64.1) OK (over IPsec)

    c) from Zyxel1: ping Server1 OK (local LAN)

    d) from Zycel1: ping Server 2 NOT-OK (from Zyxel1 over IPsec)

    e) from Zycel1: ping Zyxel2 (LANport 192.169.64.1) NOT-OK (from Zyxel1 over IPsec)

    For a), b) and c) there are events in log as expected (FORWARD PASS)

    However, I could not found any event in log (all logging enabled) related to case d) and e).

    If one look for case d). What is expected src adress? Could be WAN IP (strange), Site2-LAN-port (192.168.64.1) or Site1-LAN-port(192.168.2.1). It looks like as the packet do not arrive to any processing - rules engine?

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @szn,

    Thanks for the detailed information.

    Please try using the command with source IP: "cmd ping source <Source interface IP> <Destination IP>".

    Zyxel Melen


  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    from zyxel1

    cmd ping 192.168.64.1 source 192.168.2.1

    is successful.

    I have also did packet trace for:

    cmd ping 192.168.64.1

    in this case src is IP address of WAN interface.

    How to configure security policy that also this packet will go into ipsec vpn?

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Does both ends of the VPN site to site setting show you have a zone set to it IPSec_VPN and is not set to none?

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @szn & @PeterUK,

    This issue is related to the policy-based VPN tunnel. Due to its mechanism, the firewall might not use the correct interface to send ICMP packets. Therefore, you must specify the source interface IP when doing a ping test.

    Additionally, the route-based VPN tunnel won't have this issue since the mechanism is different.

    Zyxel Melen


  • szn
    szn Posts: 16  Freshman Member
    First Comment Friend Collector

    Thx, this explains the behavior.