Trouble with site to site VPN

Yari
Yari Posts: 6  Freshman Member
First Comment
in Security

Hello, 

I write becouse i have a trouble with a VPN site to site, I set the tunnel correctly with this scenario:

Site A
USG FLEX 50 with firmware 5.39 (STATIC IP)
lan 1  10.1.10.X 
with many VLAN 192.168.10.X - 192.168.20.X …

Site B  (DYNAMIC PEERS WITH CGNAT)
USG FLEX 200
lan 1 10.1.11.X
with many VLAN 192.168.11.X - 192.168.21.X

The VPN tunnel is ok becouse if i ping from Site A the lan 10.1.11.X is ok and it also work from Site B to the lan 10.1.10.X.

The truble is that i need to force the VLAN 192.168.21.X from Site B goes throught the tunnel, i set the Policy route like this:

Site A
Create the subnet 192.168.21.1/24 in the Object-Address of firewall site B, with the policy (user:any, incoming:any, source address: LAN 1 subnet, Destinatio address: subnet 192.168.21.1/24, DSCP code: any, Schedule: none, service: any, Next-Hop vpn tunnel with the tunnel crate).

Site B
Create the subnet 10.1.10.1/24 in the Object-Address of firewall site A, with the policy (user:any, incoming:tunnel, source address: 10.1.10.1/24 subnet, Destinatio address: subnet 192.168.21.1/24, DSCP code: any, Schedule: none, service: any, Next-Hop Auto).

I create also a security policy from in both firewall with log from tunnel to lan1 and vice versa, so i can see the packet flow from firewall site A to firewall site B, but i can ping and don't responde nothing. 

I use some online guide but i cant resolve this problem, there is somthing else that i can do to correct this. 

For the moment i create a new VPN tunnel for this scenario and it work, but i think is not the correct way.

Online i also see to create a VTI, but a VPN site to site with dynamic peer is not possible to create. 

Thanks

All Replies

  • PeterUK
    PeterUK Posts: 3,693  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    site A and site B routing rule have Destination 192.168.21.1/24 ?

    next hop on site B auto and not VPN tunnel?

  • Yari
    Yari Posts: 6  Freshman Member
    First Comment

    Hello Peter, Thanks for the response.

    I have create on each firewall under the Object/Address this 2 configuration

    Site A
    REMOTE_VLAN_B → SUBNET → 192.168.21.1/24
    LOCAL_VLAN_A → SUBNET → 192.168.10.1/24

    SITE B
    REMOTE_VLAN_A → SUBNET → 192.168.10.1/24
    LOCAL_VLAN_B → SUBET → 192.168.21.1/24

    Then i create this 2 policy on Site A

    POLICY SITE A.jpg

    and

    POLICY SITE A 1.jpg

    Then i create this 2 policy on Site B

    POLICY SITE B.jpg

    and

    POLICY SITE B 1.jpg

    I also create this 2 security policy on each firewall, reversing A with B

    SECURITY SITE A.jpg

    and this

    SECURITY SITE A 1.jpg

    After this i try to ping from site A to site B and in the log i see the packet in the firewall A and B but nothing respons to the ping.

    "I see in the picture there is 2 policy that was disable but during the test they was able"

    This is the setting of the tunnel.

    IMPOSTAZIONI VPN.jpg
  • PeterUK
    PeterUK Posts: 3,693  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You can remove the routing rules with nexthop auto and move the two rules with next hop WIZ_VPN to the top of the list.

    Was the other site done by the wizard? Both VPN use “TUNNEL” as the zone?

  • Yari
    Yari Posts: 6  Freshman Member
    First Comment

    The 2 roule that was not active in the picture noi i erese both, the other 2 two with next-hop on the tunnel is the only roule that i have on each firewall so is the first.

    Yes the both site of the VPN have for zone "TUNNEL", and both the VPN was base made use the wizard

  • PeterUK
    PeterUK Posts: 3,693  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    list the LAN/VLAN IP subnets from both sites

  • Yari
    Yari Posts: 6  Freshman Member
    First Comment
    edited March 25

    Site A

    WAN → DHCP assigned fron the ISP

    LAN1 → 10.1.10.1/24 / LAN2 → 10.2.10.1/24

    VLAN_10 → 192.168.10.1/24 / VLAN_20 → 192.168.20.1/24 / VLAN_30 → 192?168.30.1/24 / VLAN_40 192.168.1.40/24 / VLAN_50 → 192.168.50.1 / VLAN_70 →192.168.1.70/24 / VLAN_100 →192.168.100.1/24

    DMZ →192.168.250.1/24

    Site B

    WAN1 10.0.11.1/24

    LAN1 -> 10.1.11.1/24 / LAN2 -> 10.2.11.1/24

    VLAN_11 -> 192.168.11.1/24 / VLAN_21 →192.168.21.1/24 / VLAN_31 -> 192.168.1.31/24 / VLAN_41 → 192.168.1.41 / VLAN_51 -> 192.168.1.51/24 / VLAN_71 192.168.71.1/24 / VLAN_101 192.168.101.1/24

    DMZ 192.168.251.1/24

  • PeterUK
    PeterUK Posts: 3,693  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 25

    looks to be a error ?

    VLAN_31 -> 192.168.1.31/24 / VLAN_41 → 192.168.1.41 /

    Do you have other routing rules on both sites?

    Does the device you ping have a firewall?

  • Yari
    Yari Posts: 6  Freshman Member
    First Comment

    Yes VLAN_41 → 192.168.1.41/24

    No i don't have any other routing roules made by me.

    But now i see the setting of the VPN for acces with mobile phone that i have on Site A and I see that the subnet is 0.0.0.0/0

    This can be a problem?

    image.png

    On the PC that i try to ping i switch off the windows defender, the firewall and the antivirus.

  • PeterUK
    PeterUK Posts: 3,693  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 25

    Do you see any blocked traffic in logs?

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)