IPSec VPN Site-to-Site behind router

Hello sir or madame, this is my problem. I have 3 buildings with 3 distinct types of connection:

• [home]#A
  • Router#A FRITZ!Box 4040 (OS 08.03) connected to ONT
    • Router#1 - IP 192.168.198.60
    • DHCP server
    • Local Area Network 192.168.198.0/24
  • FTTH connection
• [company]#B
  • Router#B FRITZ!Box 7560 (OS 07.30) connected to ONT
    • IP 192.168.199.70
    • No DHCP server because there is a domain controller
    • Local Network 192.168.199.0/24
  • FTTH connection with static Public IP
• [house] #C
  • Router#C FRITZ!Box 6850LTE (OS 08.20) connected to LTE
    • IP 192.168.201.1
    • DHCP server
    • Local Network 192.168.201.0/24
  • LTE connection
  • Cascaded Zyxel USG FLEX 50H Firewall (uOS 1.37)
    • WAN side – IP 192.168.201.2 – Gateway 192.168.201.1
    • LAN side – IP 192.168.200.2 – Local Area Network 192.168.200.0/24

I would like to create 2 VPN tunnels between #A↔B (Villa_Barbiano) and between #C↔B (Villa_Bizzuno). I have already did several attempts, even with my IT system engineer, but we are faced with some connection problems

• Tunnel Case #A↔B (Villa_Barbiano)
  • Router#B
    • Internet Interface → VPN → Permissions.
    • Add VPN connection.
    • Connect this FRITZ!Box with a corporate VPN.
    • Put all the settings referenced on the help page, including *.myfritz.net addresses.
    • Confirmed and then restarted the router.
  • Router#A
    • Internet → VPN → Enable (IPSec).
    • Add VPN connection.
    • Connect your local network with another FRITZ!Box (LAN-LAN pairing).
    • Put all the settings referenced on the help page, including *.myfritz.net addresses.
    • Confirmed and then restarted the router.

This tunnel seems OK and stable for now, so the 192.168.198.0/24 LAN network is accessible and scannable.

• Tunnel Test Case #C↔B (Villa_Bizzuno_test)
  • Router#B
    • Internet Interface → VPN → Permissions.
    • Add VPN connection.
    • Connect this FRITZ!Box with a corporate VPN.
    • Put all the settings referenced on the help page, including *.myfritz.net addresses.
    • Confirmed and then restarted the router.
  • Router#C
    • Internet Interface → VPN → Enable (IPSec).
    • Add VPN connection.
    • Connect your local network with another FRITZ!Box (LAN-LAN pairing).
    • Put all the settings referenced on the help page, including *.myfritz.net addresses.
    • Confirmed and then restarted the router.

This tunnel seems OK and stable for now, so the 192.168.201.0/24 LAN network is accessible and scannable and I did this test in order to understand if the LTE operator hides with NAT the connection.Obviously, the network 192.168.200.0/24 is not reachable (because in another mask protected by the firewall); consequently, in order to connect the 2 LANs, the only way is that the tunnel VPN_IPSec takes place between Router#B and the Firewall, according to the site-to-site logic IPSec_VPN IKEv1.

• Tunnel Test Case #C↔B (Villa_Bizzuno)
  • Router#B
    • Internet Interface → VPN → Permissions.
    • Add VPN connection.
    • Connect this FRITZ!Box with a corporate VPN.:
      • VPN username (Key-ID): yzaygo79jtldsmgy.myfritz.net
      • VPN (Preshared Key) Password: My Password
      • Remote Station Internet Address: yzaygo79jtldsmgy.myfritz.net
      • Internet address of this FRITZ!Box: 185.240.71.33
      • Remote Network: 192.168.200.0
      • Subnet Mask: 255.255.255.0
      • Maintain VPN connection constantly: Yes
      • Allow NetBIOS over this connection (for Microsoft Windows file shares and printers): Yes

Moving now to the firewall interface, I detail the custom settings of the device for the configuration of the VPN, using the parameters of Phase1 and Phase2 "stolen from the Villa_Barbiano tunnel" and from the LAN-LAN VPN used as a test between the 7560 and the 6850LTE:

[VPN Villa_Barbiano tunnel / IKE SA: DH2 / AES-256 / SHA1 / IPsec SA: ESP-AES-256 / SHA2-512 / LT-3600]

[VPN tunnel Villa_Bizzuno_test / IKE SA:  DH2/AES-256/SHA512/IPsec SA: ESP-AES-256/SHA2-512/LT-3600]

• General Setting:
  • Description: Villa
  • IKE Version: IKEv1
  • Type: Policy-based
• Network
  • My Address: IP 192.168.201.2 (Firewall WAN side identifier)
  • Peer Gateway Address: 185.240.71.33 (Public IP of Router#B)
  • Fallback: OFF
  • Zones: IPSec_VPN
• Authentication (Pre-Shared Key): My password
  • Advanced Setting:
    • Local ID: yzaygo79jtldsmgy.myfritz.net
      [VPN username (Key-ID) set to 7560]
    • Remote ID: 185.240.71.33
• Phase 1 Settings
  • SA Life Time: 28800
  • Proposal Encryption: AES256
  • Proposal Authentication: SHA1
  • Diffie-Hellman Groups: DH2
  • Advanced Setting:
    • DPD Delay: 5
    • UDP Encapsulation: ON
      (according to the technical literature it is the setting necessary to force passage over port UDP4500)
• Phase 2 Settings
  • Initiation: Nailed-up
  • Policy:
    • Local LAN: 192.168.200.0/24
    • Remote LAN: 192.168.199.0/24
  • SA Life Time: 3600
  • Proposal Encryption: AES256
  • Proposal Authentication: SHA512
  • Perfect Forward Secrecy (PFS): OFF
  • Destination (the first Remote policy) and NAT Rule: OFF

Still on technical literature (I don't know if official or not) he strongly advises us that:

• in Router#C – FRITZ! Box 6850LTE (OS 08.20) – the "Firewall" device is enabled as an "Exposed Host" (setting done);
• the FRITZ! OS 08.20 does not handle this setting well and it is recommended to enable the individual UDP500 and UDP4500 ports anyway (setting done);
• it is necessary to disable the NetBIOS and Telendo filters of the Router#C – FRITZ! Box 6850LTE (setup done);

This tunnel does NOT open, so I forward the following:

• Router#B side:
  • the green VPN status light is off and the LAN 192.168.200.0/24 is not accessible and scannable.
  • From the event log under the system menu, nothing interesting can be deduced.

• Router Side#C:
  • From the event log under the system menu, nothing interesting can be deduced.
• Firewall side cascading to Router#C
  • Export Attachment

I look forward to your consideration, thanks.