Trouble with site to site VPN
Freshman Member
Hello,
I write becouse i have a trouble with a VPN site to site, I set the tunnel correctly with this scenario:
Site A
USG FLEX 50 with firmware 5.39 (STATIC IP)
lan 1 10.1.10.X
with many VLAN 192.168.10.X - 192.168.20.X …
Site B (DYNAMIC PEERS WITH CGNAT)
USG FLEX 200
lan 1 10.1.11.X
with many VLAN 192.168.11.X - 192.168.21.X
The VPN tunnel is ok becouse if i ping from Site A the lan 10.1.11.X is ok and it also work from Site B to the lan 10.1.10.X.
The truble is that i need to force the VLAN 192.168.21.X from Site B goes throught the tunnel, i set the Policy route like this:
Site A
Create the subnet 192.168.21.1/24 in the Object-Address of firewall site B, with the policy (user:any, incoming:any, source address: LAN 1 subnet, Destinatio address: subnet 192.168.21.1/24, DSCP code: any, Schedule: none, service: any, Next-Hop vpn tunnel with the tunnel crate).
Site B
Create the subnet 10.1.10.1/24 in the Object-Address of firewall site A, with the policy (user:any, incoming:tunnel, source address: 10.1.10.1/24 subnet, Destinatio address: subnet 192.168.21.1/24, DSCP code: any, Schedule: none, service: any, Next-Hop Auto).
I create also a security policy from in both firewall with log from tunnel to lan1 and vice versa, so i can see the packet flow from firewall site A to firewall site B, but i can ping and don't responde nothing.
I use some online guide but i cant resolve this problem, there is somthing else that i can do to correct this.
For the moment i create a new VPN tunnel for this scenario and it work, but i think is not the correct way.
Online i also see to create a VTI, but a VPN site to site with dynamic peer is not possible to create.
Thanks
All Replies
-
site A and site B routing rule have Destination 192.168.21.1/24 ?
next hop on site B auto and not VPN tunnel?
0 -
Hello Peter, Thanks for the response.
I have create on each firewall under the Object/Address this 2 configuration
Site A
REMOTE_VLAN_B → SUBNET → 192.168.21.1/24
LOCAL_VLAN_A → SUBNET → 192.168.10.1/24SITE B
REMOTE_VLAN_A → SUBNET → 192.168.10.1/24
LOCAL_VLAN_B → SUBET → 192.168.21.1/24Then i create this 2 policy on Site A
and
Then i create this 2 policy on Site B
and
I also create this 2 security policy on each firewall, reversing A with B
and this
After this i try to ping from site A to site B and in the log i see the packet in the firewall A and B but nothing respons to the ping.
"I see in the picture there is 2 policy that was disable but during the test they was able"
This is the setting of the tunnel.
0 -
You can remove the routing rules with nexthop auto and move the two rules with next hop WIZ_VPN to the top of the list.
Was the other site done by the wizard? Both VPN use “TUNNEL” as the zone?
0 -
The 2 roule that was not active in the picture noi i erese both, the other 2 two with next-hop on the tunnel is the only roule that i have on each firewall so is the first.
Yes the both site of the VPN have for zone "TUNNEL", and both the VPN was base made use the wizard
0 -
list the LAN/VLAN IP subnets from both sites
0 -
Site A
WAN → DHCP assigned fron the ISP
LAN1 → 10.1.10.1/24 / LAN2 → 10.2.10.1/24
VLAN_10 → 192.168.10.1/24 / VLAN_20 → 192.168.20.1/24 / VLAN_30 → 192?168.30.1/24 / VLAN_40 192.168.1.40/24 / VLAN_50 → 192.168.50.1 / VLAN_70 →192.168.1.70/24 / VLAN_100 →192.168.100.1/24
DMZ →192.168.250.1/24
Site B
WAN1 10.0.11.1/24
LAN1 -> 10.1.11.1/24 / LAN2 -> 10.2.11.1/24
VLAN_11 -> 192.168.11.1/24 / VLAN_21 →192.168.21.1/24 / VLAN_31 -> 192.168.1.31/24 / VLAN_41 → 192.168.1.41 / VLAN_51 -> 192.168.1.51/24 / VLAN_71 192.168.71.1/24 / VLAN_101 192.168.101.1/24
DMZ 192.168.251.1/24
0 -
looks to be a error ?
VLAN_31 -> 192.168.1.31/24 / VLAN_41 → 192.168.1.41 /
Do you have other routing rules on both sites?
Does the device you ping have a firewall?
0 -
Yes VLAN_41 → 192.168.1.41/24
No i don't have any other routing roules made by me.
But now i see the setting of the VPN for acces with mobile phone that i have on Site A and I see that the subnet is 0.0.0.0/0
This can be a problem?
On the PC that i try to ping i switch off the windows defender, the firewall and the antivirus.
0 -
Do you see any blocked traffic in logs?
0 -
I saw nothing block on firewall site A and site B.
There is someting else that i have to check?
Thanks
0
Guru Member
Categories
- All Categories
- 417 Beta Program
- 2.6K Nebula
- 161 Nebula Ideas
- 108 Nebula Status and Incidents
- 5.9K Security
- 335 USG FLEX H Series
- 287 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 260 Service & License
- 402 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 80 Security Highlight
