route L2TP ipsec on ipsec site to site

2

Comments

  • adm
    adm Posts: 16
    First Comment
    #additional question:
    is it normal that l2tp release ip address for vpn user with subnet 255.255.255.255 ?? 
    there's no route back in this way

    Can I better understand this please?? 
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @adm
    Regarding to this case,
    Can you private message the result of packet-trace on site A?(Just screenshot it)
    we need to trace the packet via console on site A, so type the command as below.
    #  packet-trace interface vti(x) extension-filter host <ip address of AWS instance>
    Next, let l2tp client access AWS interface, and then just private message the result to me (screenshot it)

    Secondly, it is normal that L2TP client get the IP address with netmask 255.255.255.255


    Charlie

  • adm
    adm Posts: 16
    First Comment
    thanks for details guys
    anyway

    this
    #  packet-trace interface vti(x) extension-filter host <ip address of AWS instance>

    return
    0 packets capture
    x packetsreceived by filter
    0 packats dropped by kernel

    i am really confused, it seems really hard to find the solution
  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi,
    Here my topology,
    L2TP/IPSec client(172.24.28.20) --- USG60 --- site2site VPN --- AWS VPC --- EC2 instance(10.0.1.105)

    And my VPN client can access the EC2 server in AWS VPC through the VPN interface(vti0).
    So if you doing a ping test, you should get the client IP address to EC2 private IP address on the vti interface. 
    If not, then you need to check the routing settings on VPN client and ZyWALL.


    You can PM me the screenshot of policy route & static route settings page.
    If you need help to check if any mis-config.

  • adm
    adm Posts: 16
    First Comment
    oh wow almost the same config :)

    anyway i don't have vpn interface, is it possible ?
  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    anyway i don't have vpn interface, is it possible ?
    A question,
    what's the scenario of your VPC ?
    https://docs.aws.amazon.com/en_us/vpc/latest/userguide/VPC_Scenarios.html

    My VPC is create with scenario 3. The EC2 instance (10.0.1.105) is locate in private subnet.
    And connect a VPN back to USG60 at my office.
    The VPN which AWS VPC support is route-based IPSec VPN.
    So that need to configure vpn interface to link with AWS VPC.  

    You can refer the configuration guide in this post to create the routed-based VPN.
    https://businessforum.zyxel.com/discussion/comment/6173#Comment_6173

  • adm
    adm Posts: 16
    First Comment
    wait wait wait... ahaha

    After a little investigation i think that we are talking about scenario 3 without bgp. 

    So, the customer gateway config it has been completly totally manuly. 

    but anyway i don't have a solution yet

    please..suggestion ?
  • adm
    adm Posts: 16
    First Comment
    and i don't have vti configured
  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    No matter static or dynamic, you can download the configuration of VPN connection from AWS console.
    Then modify it and upload to ZyWALL to apply. It's very easy then configure one by one from GUI of ZyWALL.

  • adm
    adm Posts: 16
    First Comment
    oh, so this mean that manual config cannot work ?
    and i cannot manually create a vti ?

    and after i upload it everything will work ?

Security Highlight