ssl vpn to dynamic ipsec

Boris · August 25

Computer conneted with SSL VPN to Zywall USG in Head office can not ping device in remote office via Dymaic site to site IPSec between Head and Branch office, but it works if I configure "ordinary" site to site IPSec.

How can I fix it?

Zyxel_Melen · August 25

Hi @Boris

Please help to identify where the traffic been dropped, failure test:

Ping the SSL VPN IP of Zywall USG in Head office.
Ping the LAN interface IP of Zywall USG in Head office.
Ping the LAN interface IP of Zywall USG in Branch office.

In addition, did you set policy route and static route on both of your Zywall USG?

Boris · August 27

Hello,

1.Ping the SSL VPN IP of Zywall USG in Head office.

works

2. Ping the LAN interface IP of Zywall USG in Head office.

works

3. Ping the LAN interface IP of Zywall USG in Branch office.

no answer

Moreover, I can see in Zywall logs that packets successfully forwarded from SSL VPN to IPSec tunnel, but I cannot find it in Branch Office logs

Zyxel_Melen · August 28

Hi @Boris

Please help to check if you have these required configuration on both of your firewalls.

Site A:

Create a policy route (Network > Routing > Policy Route)
1. source: SSL VPN subnet
2. destination: 192.168.80.x(SiteB)
3. next-hop: VPN tunnel, select the S2S tunnel to SiteB
Security Policy (Security Policy > Policy Control)
1. From: SSL_VPN
2. To: IPSec_VPN
3. source: SSL VPN subnet
4. destination: 192.168.80.x(SiteB)
5. action: allow
SSL VPN Network (VPN > SSL VPN > Access Privilege)
1. Edit the SSL VPN policy, add 192.168.80.x(siteB) into the Network List.

Site B:

Create a policy route (Network > Routing > Policy Route)
1. source: 192.168.80.x(SiteB)
2. destination: SSL VPN subnet
3. next-hop: VPN tunnel, select the S2S tunnel to SiteA
Security Policy (Security Policy > Policy Control)
1. From: LAN
2. To: IPSec_VPN
3. source: 192.168.80.x(SiteB)
4. destination: SSL VPN subnet
5. action: allow

ssl vpn to dynamic ipsec

All Replies

Categories

Security Help Center