IPSec via IPSec don't work

alexeyalexey Member Posts: 98  Ally Member
edited June 4, 2020 9:32AM in ZyWALL USG Series
Hi all. I have a problem.
We have 2 sites connected via IPSec. 2nd site goes to internet via 1st.
On 2nd site we have device, that need connect to IPSec via internet. But device can't estabilished connection.
In firewall i created all needed rules, security log without drop packets.
Via diagnostic page and show conn in cli i can see open connections on 2nd device.
But on 1st device nothing. No connections to destination address. Logs without any alerts.
In what may be problem?
Device use ipsec, dns and ntp protocols. DNS and NTP work fine.

 
Tagged:

All Replies

  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 717  mod

    Hi @alexey

    Can you make sure your Site2 has configured policy route which forward all of traffic into VPN tunnel first?


    And also at Site1, you have to create policy route rule at for Site2 traffic.


    After configured it, all Site2 of LAN1 traffic will pass to Site1 via VPN tunnel, and get reply from internet.

     

    And then you should able get ICMP reply from your Destination server.

    If still can’t get reply, you can go to Site1 diagnostics > Routing trace.

    A.   Enter destination server IP address, and set protocol as ICMP

    B.    PC send ICMP to destination IP continually.

    C.   Click “Capture” button and wait for 5 seconds.

     It is able to make sure traffic path is forwarded by VPN tunnel or WAN interface.

  • alexeyalexey Member Posts: 98  Ally Member
    Hi @Zyxel_Stanley
    All routes are fine. Other devices work normal.
    On problem device don't work only IPSec service, ntp & dns work properly. I can see connections from this services on main device.
    We have no direct access to this device so i can't ping destination address ftom it.

  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 717  mod

    Hi @alexey  

    You must make sure your device support initial VPN tunnel behind NAT route.

     And also you still can try to send traffic to your VPN server. (initial VPN connection from your device)

    It just for make sure device traffic has forwarded by correct route path.

  • alexeyalexey Member Posts: 98  Ally Member
    Here flushed traffic for ipsec protocol.
    It goes direct to vti tunnel.
    You must make sure your device support initial VPN tunnel behind NAT route.
    If i add custom route for this device direct via providers vpn, they work perfectly. They don't work via ipsec.
  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 717  mod

    Hi @alexey  

    It looks your device(172.20.60.102) traffic has forwarded to peer device which build VPN tunnel with ZyWALL110.

    So you can trace the packets on peer device again to make sure traffic has routed to WAN interface successfully.

    And also check response packets have route back to ZyWALL110 via vit0 interface.

    Filter condition is: 62.141.65.252

  • alexeyalexey Member Posts: 98  Ally Member
    I can't see this packets on device on main site. It don't estabilishe any connection with remote peer, so device on site B don't have any back connections.
  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 717  mod

    Hi @alexey

    This situation should come from your configuration or network environment issue. I will check it by private message,

Sign In to comment.