FLEX100H: Traffic from Zywall not go through Policy-based IPsec VPN
All Replies
-
Unsure why their is a problem, someone else might know and look into this for you
0 -
Peter thank you.
0 -
Hi @szn,
Could you help to clarify:
- Does the server receive packets from the firewall? Could you use wireshark or tcpdump on your server to check it?
Zyxel Melen0 -
Hi,
will try to describe the issue better:
configuration (IPsec VPN created using wizzard)
What is working, where is issue:
a) from Server1: ping Server2 OK (over IPsec)
b) from Server1: ping Zyxel2 (LANport 192.168.64.1) OK (over IPsec)
c) from Zyxel1: ping Server1 OK (local LAN)
d) from Zycel1: ping Server 2 NOT-OK (from Zyxel1 over IPsec)
e) from Zycel1: ping Zyxel2 (LANport 192.169.64.1) NOT-OK (from Zyxel1 over IPsec)
For a), b) and c) there are events in log as expected (FORWARD PASS)
However, I could not found any event in log (all logging enabled) related to case d) and e).
If one look for case d). What is expected src adress? Could be WAN IP (strange), Site2-LAN-port (192.168.64.1) or Site1-LAN-port(192.168.2.1). It looks like as the packet do not arrive to any processing - rules engine?
0 -
Hi @szn,
Thanks for the detailed information.
Please try using the command with source IP: "cmd ping source <Source interface IP> <Destination IP>".
Zyxel Melen0 -
from zyxel1
cmd ping 192.168.64.1 source 192.168.2.1
is successful.
I have also did packet trace for:
cmd ping 192.168.64.1
in this case src is IP address of WAN interface.
How to configure security policy that also this packet will go into ipsec vpn?
0 -
Does both ends of the VPN site to site setting show you have a zone set to it IPSec_VPN and is not set to none?
0 -
This issue is related to the policy-based VPN tunnel. Due to its mechanism, the firewall might not use the correct interface to send ICMP packets. Therefore, you must specify the source interface IP when doing a ping test.
Additionally, the route-based VPN tunnel won't have this issue since the mechanism is different.
Zyxel Melen0 -
Thx, this explains the behavior.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight