IPSec VPN behind routeur and DMZ
Using the wizard (USG FLEX 100/200), i build an IPSec vpn.
The only modification i made, is on the VPN gateway, setting "Peer ID Type" to "any" on both side.
On one side the FLEX 100 is in a DMZ, at other side, the Flex 200 is behind the provider router (fixed ip's, NAT for 50,51,500,4500,47,112 already done).
The Vpn is going up but there is no traffic (even ping does not respond).
Of course, local ping is responding on each side.
I did it running … deleted it to rebuild again (no modification made on the provider router) but not running this time… i meessed something…
Many thank's for your help…
All Replies
You need to allow from VPN zone to LAN/DMZ and from LAN/DMZ to VPN zone
note pinging a PC needs it firewall to allow inbound ICMP
0 -
Thank's for your reply.
"You need to allow from VPN zone to LAN/DMZ and from LAN/DMZ to VPN zone"
It's not created by the wizard ?
"note pinging a PC needs it firewall to allow inbound ICMP"
I can ping them locally
The monitor show only Outbound Bytes from FLEX 50 (not 100 sorry)
Thank's again.
0 -
Not sure what the wizard does I do it manually check the Zone for the VPN connection made is IPSec_VPN
0 -
I see IPSec_VPN_Outgoing and IPSec_VPN_to_Device in the previous message (picture 1) in policy control
I've got it on both side
0 -
Can you ping the LAN address of remote router?
Do you have some other device to ping? A PC can have local firewall.
0 -
"Can you ping the LAN address of remote router?"
"Do you have some other device to ping? A PC can have local firewall."
Yes, on each side i've got many device i can ping localy.
PeterUK, What do you mean by "You need to allow from VPN zone to LAN/DMZ and from LAN/DMZ to VPN zone" ?
Where i have to do it ? policy control ? on both side ?
Thank's again to all of you…
0 -
You likely need a control control From DMZ to IPSec_VPN if the VPN connection use that zone
0 -
From the image you posted (so, from the point of view of that tunnel side)
LAN1 can go into tunnel
DMZ cannot go into tunnel
Tunnel can go both into LAN1 and DMZ
You have all "allow rules", but the latest. If something does not fit into rules is blocked by default rule and the event is logged.
So, you could look at logs.
Firewall are able to ping each other on LAN address?
0 -
juste to be sure, a picture of our organization:
We can ping, localy, on each side, other devices.
We can not ping devices on other site. but we can see on "Company" monitor/vpn inboud traffic (few bytes).
Here de policy, this is quite the same on each side:
USG Flex on the "Branch" is in the DMZ of the provider router.
There is nothing in USG Flex DMZ.
i'm not sur to do the right thinks…
Many thank's again
0 -
Sorry, read instead of
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 271 USG FLEX H Series
- 274 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 389 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight