VPN Tunnel established, but no traffic

Options
Garrett
Garrett Posts: 6
edited April 2021 in Security

Hi there, my case is as follows,

Company has static IP, Zyxel USG50 (+ branch with static IP and USG60, sito to site working reliably)

Home: I bought LTE7240-M403 and used a discarded USG50 to make a network at home to connect my company Lan. I studied the previous configuration between company and it's branch and was able to connect the IPsec VPN link between home and company, but no traffic. I then switched configurations with LTE7240 (Switched from IP Passthrough to Router mode) and made new VPN connections with the quick wizard and again the tunnel was created but no full connection. Firewall rules allow traffic from Ipsec tunnels to Any(but zywall) and another for zywall. Routing is from lan1 , source: local-ip-range/24, destination: remote-ip-range/24, next hop is the correct tunnel.

I can ping company's router and connect it's web interface. I can ping one device on the network that is not that picky about pings. (Receipt printer) However pinging from any computer from company (Windows or Linux) will not go through to home network.

I cannot ssh nor http from home to the company web server. All connection efforts from company to home is lost. ping, http, ssh...

Home:                                       10.10.13.1| Dyn Out                     Fixed IP|10.10.15.1

Home Lan========= USG50 ==== LTE7240 ===== (Internet) ===== USG50 ==== Co Lan

10.10.14.0/24  10.10.14.1| 10.10.13.2                                                             10.10.15.0/24

If I have the tunnel up, then I don't have to worry about the settings on LTE7240 (Currently without firewall), right?

What am I missing here? No NAT rules defined, in my understanding I don't need any(The site to site tunnel between company and branch works without)

Later I connected another tunnel to the branch network's USG60 (10.10.16.0/24) and there connections work (ping, http, ssh), but the tunnel breaks after a while when there is no traffic. Nailed-up is set on home USG50 and because LTE at home is dynamic I can't activate the tunnel from work.

All Replies

  • [Deleted User]
    [Deleted User] Posts: 213  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited January 2020
    Options

    Hello @Garrett and welcome to the forum!

    So we are talking about two different VPN tunnels? One to a USG50 at home, one more to a USG60?


    No traffic over VPN:

    Some common reasons that there is no ping reply from the destination in the remote VPN:

    • Security policy misconfiguration
    • conflicting routing rules (on the USG)
    • ESP protocol is missing in the security policy or provider is blocking it
    • other issues in the topology behind the USG


    Security Policy:

    LAN-to-any (so basically LAN-to-IPsec) is missing, or IPsec-to-any etc.

    This has to be checked on both sites and it makes sense to compare your rules to the default firewall rules.


    ESP:

    Especially LTE providers do block ESP. So please verify this with your LTE provider.

    Please use bridge mode on your LTE router to avoid double-NAT. Bridge mode makes configuration easier.


    Routing rules:

    Check your routing rules on the USGs and check for rules which might conflict with the source and destination of your ping. These routing rules could maybe be conflicting.

    You can also use Packet Flow Explorer for this:

    https://support.zyxel.eu/hc/en-us/articles/360001516339-USG-Series-Packet-Flow-Explore


    Topology:

    Very common is that the destination does not respond to ping. Often Windows servers do filter the ping. Or the local routing table of the ping destination might have conflicting routing rules. Just to name a few examples here.


    Step-by-Step Troubleshooting when there is no ping reply:

    Please observe Monitor -> VPN Monitor -> IPsec when pinging and see if the packet is entering the tunnel ("Inbound bytes" should be counting up). If the packet enters the tunnel, check if it leaves the tunnel on the other site ("Outbound bytes" should be counting up) and if the ping reply is hitting the LAN interface again. You can use packet captures to verify that:

    https://support.zyxel.eu/hc/en-us/articles/360001516599-USG-Series-Packet-Capture


    I hope this step-by-step procedure helps to understand at which point the packet is lost.



    VPN tunnel breaking down after a while:

    • Nailed up should only be enabled on one site
    • Traffic should flow constantly to keep the tunnel alive. You can use connectivity check in your Phase 2 (VPN Connection)
    • Please also check the logs carefully on both sides if you can find more info about the reason of the disconnect. It would make sense to let your USG send the logs per mail so that you can later on access old log messages:
    https://support.zyxel.eu/hc/en-us/articles/360000691920-How-to-configure-the-email-log


    As this now is a very long post, we might get into personal discussion later, depending on your reply.


    Best regards

    Lukas

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)