route L2TP ipsec on ipsec site to site

2

Comments

  • admadm Member Posts: 16
    #additional question:
    is it normal that l2tp release ip address for vpn user with subnet 255.255.255.255 ?? 
    there's no route back in this way

    Can I better understand this please?? 
  • Zyxel_CharlieZyxel_Charlie Zyxel Official Agent Posts: 686  mod
    @adm
    Regarding to this case,
    Can you private message the result of packet-trace on site A?(Just screenshot it)
    we need to trace the packet via console on site A, so type the command as below.
    #  packet-trace interface vti(x) extension-filter host <ip address of AWS instance>
    Next, let l2tp client access AWS interface, and then just private message the result to me (screenshot it)

    Secondly, it is normal that L2TP client get the IP address with netmask 255.255.255.255


    Charlie

  • admadm Member Posts: 16
    thanks for details guys
    anyway

    this
    #  packet-trace interface vti(x) extension-filter host <ip address of AWS instance>

    return
    0 packets capture
    x packetsreceived by filter
    0 packats dropped by kernel

    i am really confused, it seems really hard to find the solution
  • Ian31Ian31 Member Posts: 118  Ally Member
    Hi,
    Here my topology,
    L2TP/IPSec client(172.24.28.20) --- USG60 --- site2site VPN --- AWS VPC --- EC2 instance(10.0.1.105)

    And my VPN client can access the EC2 server in AWS VPC through the VPN interface(vti0).
    So if you doing a ping test, you should get the client IP address to EC2 private IP address on the vti interface. 
    If not, then you need to check the routing settings on VPN client and ZyWALL.


    You can PM me the screenshot of policy route & static route settings page.
    If you need help to check if any mis-config.

  • admadm Member Posts: 16
    oh wow almost the same config :)

    anyway i don't have vpn interface, is it possible ?
  • Ian31Ian31 Member Posts: 118  Ally Member
    anyway i don't have vpn interface, is it possible ?
    A question,
    what's the scenario of your VPC ?
    https://docs.aws.amazon.com/en_us/vpc/latest/userguide/VPC_Scenarios.html

    My VPC is create with scenario 3. The EC2 instance (10.0.1.105) is locate in private subnet.
    And connect a VPN back to USG60 at my office.
    The VPN which AWS VPC support is route-based IPSec VPN.
    So that need to configure vpn interface to link with AWS VPC.  

    You can refer the configuration guide in this post to create the routed-based VPN.
    https://businessforum.zyxel.com/discussion/comment/6173#Comment_6173

  • admadm Member Posts: 16
    wait wait wait... ahaha

    After a little investigation i think that we are talking about scenario 3 without bgp. 

    So, the customer gateway config it has been completly totally manuly. 

    but anyway i don't have a solution yet

    please..suggestion ?
  • admadm Member Posts: 16
    and i don't have vti configured
  • Ian31Ian31 Member Posts: 118  Ally Member
    No matter static or dynamic, you can download the configuration of VPN connection from AWS console.
    Then modify it and upload to ZyWALL to apply. It's very easy then configure one by one from GUI of ZyWALL.

  • admadm Member Posts: 16
    oh, so this mean that manual config cannot work ?
    and i cannot manually create a vti ?

    and after i upload it everything will work ?
Sign In to comment.