IPSec via IPSec don't work

alexey
alexey Posts: 188  Master Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
Hi all. I have a problem.
We have 2 sites connected via IPSec. 2nd site goes to internet via 1st.
On 2nd site we have device, that need connect to IPSec via internet. But device can't estabilished connection.
In firewall i created all needed rules, security log without drop packets.
Via diagnostic page and show conn in cli i can see open connections on 2nd device.
But on 1st device nothing. No connections to destination address. Logs without any alerts.
In what may be problem?
Device use ipsec, dns and ntp protocols. DNS and NTP work fine.

 

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @alexey

    Can you make sure your Site2 has configured policy route which forward all of traffic into VPN tunnel first?


    And also at Site1, you have to create policy route rule at for Site2 traffic.


    After configured it, all Site2 of LAN1 traffic will pass to Site1 via VPN tunnel, and get reply from internet.

     

    And then you should able get ICMP reply from your Destination server.

    If still can’t get reply, you can go to Site1 diagnostics > Routing trace.

    A.   Enter destination server IP address, and set protocol as ICMP

    B.    PC send ICMP to destination IP continually.

    C.   Click “Capture” button and wait for 5 seconds.

     It is able to make sure traffic path is forwarded by VPN tunnel or WAN interface.

  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector
    Hi @Zyxel_Stanley
    All routes are fine. Other devices work normal.
    On problem device don't work only IPSec service, ntp & dns work properly. I can see connections from this services on main device.
    We have no direct access to this device so i can't ping destination address ftom it.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @alexey  

    You must make sure your device support initial VPN tunnel behind NAT route.

     And also you still can try to send traffic to your VPN server. (initial VPN connection from your device)

    It just for make sure device traffic has forwarded by correct route path.

  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector
    Here flushed traffic for ipsec protocol.
    It goes direct to vti tunnel.
    You must make sure your device support initial VPN tunnel behind NAT route.
    If i add custom route for this device direct via providers vpn, they work perfectly. They don't work via ipsec.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @alexey  

    It looks your device(172.20.60.102) traffic has forwarded to peer device which build VPN tunnel with ZyWALL110.

    So you can trace the packets on peer device again to make sure traffic has routed to WAN interface successfully.

    And also check response packets have route back to ZyWALL110 via vit0 interface.

    Filter condition is: 62.141.65.252

  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector
    I can't see this packets on device on main site. It don't estabilishe any connection with remote peer, so device on site B don't have any back connections.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @alexey

    This situation should come from your configuration or network environment issue. I will check it by private message,

  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector
    we found solution.
    device support gave technical requirements to network connections (MTU at least 1400).
    on vti interface was set 1400. device don't connect. i changed mtu from 1300 to 1500 - nothing
    i replace vti simple ipsec ike2 tunnel on all default settings.
    device starts to connect via ipsec. as i see, default mtu for ipsec is 1460.
    does mtu settings work on VTI?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @alexey  

    It’s good to know your issue has resolved after changed USG VPN tunnel as IKEv2.

    As your scenario, the packet will not been fragmented after enabled “Ignore "Don't Fragment" setting in IPv4 header” function.

    So your issue should come from others  but not relate to VTI interface MTU size.


Security Highlight