Can't route traffic into VPN tunnel

Options
MicheleP
MicheleP Posts: 10
First Anniversary First Comment
edited April 2021 in Security
Hello, we successfully created a IPSec tunnel on our ZYWALL USG 200, the connection is up, but when we try to reach the remote site LAN on the other point of the tunnel, the ZYWALL tries to reach it by the standard route on internet. Already created a policy route for this but it seems to be ignored.
«1

All Replies

  • PeterUK
    PeterUK Posts: 2,750  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Does each site have a different LAN subnet?


  • MicheleP
    MicheleP Posts: 10
    First Anniversary First Comment
    Options
    Yes: our local subnet is 10.11.244.232/29 while remote subnet is 192.168.0.0/16
  • PeterUK
    PeterUK Posts: 2,750  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2020
    Options

    This should work without a routing rule uncheck “Use IPv4 Policy Route to Override Direct Route”.

    Post the packet flow explore for sitetosite VPN in maintenance from both sites.


  • MicheleP
    MicheleP Posts: 10
    First Anniversary First Comment
    Options

  • PeterUK
    PeterUK Posts: 2,750  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    and the other site setup?
  • MicheleP
    MicheleP Posts: 10
    First Anniversary First Comment
    Options
    We can't see it, it is property of PA, but I'm confident they did the right configuration because they realize several VPN site to site with different enterprise
  • PeterUK
    PeterUK Posts: 2,750  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2020
    Options
    Have you set for VPN_LOGICA_P2_C in vpn connection under related settings a zone?

    With a policy control rule from LAN1 to zone above make as log and try pinging a PC/device to 192.168.xxx.xxx and see if it shows in the logs.
  • MicheleP
    MicheleP Posts: 10
    First Anniversary First Comment
    Options
    I left the default value "IPSec_VPN" for related zone and this is not present in the dropdown list of destinations for a policy route. Anyway, I just realized that all this is not working on a server (Windows 2012) while the traffic is correctly routed in the tunnel from a client Windows 10 in the LAN. Even turning off the Windows Firewall on the server, the things don't work. The server is part of the LAN just as the client, same subnet, just it is a DC of the domain
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,454  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    There is no need add policy route for peer subnet if you establish site to site VPN.
    There is one thing need to take note, the peer subnet is 192.168.X.X/16. 
    By default, we have 192.168.2.x/24 on interface lan 2. 
    T○ avoid subnet overlap, please remove any subnet within range 192.168.X.X/16 on USG200 network interface.
  • MicheleP
    MicheleP Posts: 10
    First Anniversary First Comment
    Options
    Thanks Cooldia, in our case the subnet configured on interface lan1 and 2 were respectively 10.0.0.2/255.255.255.0 and 10.0.0.1/255.255.255.0 so there is no overlapping

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)