route L2TP ipsec on ipsec site to site

Hi all,

I am facing a strange issue,

site a 
zywall 110
config
site to site vpn to site b ( site a and site b communicate correctly )
l2tp ipsec vpn user with preshared ( let's call this site c) site c and site a can communciate correctly

i cannot route site c to site b
but route are correctly config

i need some suggestions please
thanks 

Tagged:
«13

Comments

  • Ian31Ian31 Member Posts: 118  Ally Member
    Hi,
    You need to add a policy route, from VPN client IP address to site b, before the policy route for VPN client IP address to any.

  • admadm Member Posts: 16
    thanks for ur reply,

    but i just faced a new issue.. tha package is correctly routed, but it doesnt come back
  • Ian31Ian31 Member Posts: 118  Ally Member
    If you mean the packet not back from site b.
    Then add a policy route in site b,
    From site b to VPN client IP address, into the site-to-site tunnel.

  • admadm Member Posts: 16
    yep but it's already set
  • admadm Member Posts: 16
    l2tp -> zywall 110 -> aws

    package go to zywall 110 and forwaarded correctly to aws.
    aws vpn correctly work with zywall 110 lan but not with l2tp
    route table and security group of aws accept the subnet of l2tp users
  • admadm Member Posts: 16
    additional question:
    is it normal that l2tp release ip address for vpn user with subnet 255.255.255.255 ?? 
    there's no route back in this way
  • admadm Member Posts: 16
    UPDATE

    site a (zywall lan) can connect correctly in ssh to site b (aws)
    site c (l2tp user) can connect correctly in ssh to site a (zywall lan-centos machine)

    BUT when site c try to connect in ssh to site b fails.
    on site a zywall log, the package is correctly forwarded from l2tp ip address to aws ip address
    on the aws machine, the log show an incoming connection from l2tp ip address port 22, but it seems stucking in SYN_RECV

    someone any idea ?
    thanks
  • Ian31Ian31 Member Posts: 118  Ally Member
    To check the l2tp to aws issue.
    You can use CLI to trace the request packets & reply packets,
    #  packet-trace interface vtix extension-filter host <ip address of AWS instance>

    Then access the AWS instance from L2TP client. And check the result show on the CLI.

  • admadm Member Posts: 16
    #You can use CLI to trace the request packets & reply packets

    Traceroute from l2tp doesn't reach the instance and all the hop fall down. The same if I try traceroute from the instance

    #Then access the AWS instance from L2TP client. And check the result show on the CLI.

    I cannot access the instance from l2tp via SSH..only through web aws.
    Or maybe I don't understand exactly what u mean with "Then access the AWS instance from L2TP client. And check the result show on the CLI.
    "
  • admadm Member Posts: 16
    I have to solve this issue in a couple of hours please
Sign In to comment.