route L2TP ipsec on ipsec site to site

adm
adm Posts: 16
First Comment
edited April 2021 in Security
Hi all,

I am facing a strange issue,

site a 
zywall 110
config
site to site vpn to site b ( site a and site b communicate correctly )
l2tp ipsec vpn user with preshared ( let's call this site c) site c and site a can communciate correctly

i cannot route site c to site b
but route are correctly config

i need some suggestions please
thanks 

«13

Comments

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi,
    You need to add a policy route, from VPN client IP address to site b, before the policy route for VPN client IP address to any.

  • adm
    adm Posts: 16
    First Comment
    thanks for ur reply,

    but i just faced a new issue.. tha package is correctly routed, but it doesnt come back
  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    If you mean the packet not back from site b.
    Then add a policy route in site b,
    From site b to VPN client IP address, into the site-to-site tunnel.

  • adm
    adm Posts: 16
    First Comment
    yep but it's already set
  • adm
    adm Posts: 16
    First Comment
    l2tp -> zywall 110 -> aws

    package go to zywall 110 and forwaarded correctly to aws.
    aws vpn correctly work with zywall 110 lan but not with l2tp
    route table and security group of aws accept the subnet of l2tp users
  • adm
    adm Posts: 16
    First Comment
    additional question:
    is it normal that l2tp release ip address for vpn user with subnet 255.255.255.255 ?? 
    there's no route back in this way
  • adm
    adm Posts: 16
    First Comment
    UPDATE

    site a (zywall lan) can connect correctly in ssh to site b (aws)
    site c (l2tp user) can connect correctly in ssh to site a (zywall lan-centos machine)

    BUT when site c try to connect in ssh to site b fails.
    on site a zywall log, the package is correctly forwarded from l2tp ip address to aws ip address
    on the aws machine, the log show an incoming connection from l2tp ip address port 22, but it seems stucking in SYN_RECV

    someone any idea ?
    thanks
  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    To check the l2tp to aws issue.
    You can use CLI to trace the request packets & reply packets,
    #  packet-trace interface vtix extension-filter host <ip address of AWS instance>

    Then access the AWS instance from L2TP client. And check the result show on the CLI.

  • adm
    adm Posts: 16
    First Comment
    #You can use CLI to trace the request packets & reply packets

    Traceroute from l2tp doesn't reach the instance and all the hop fall down. The same if I try traceroute from the instance

    #
    Then access the AWS instance from L2TP client. And check the result show on the CLI.

    I cannot access the instance from l2tp via SSH..only through web aws.
    Or maybe I don't understand exactly what u mean with "
    Then access the AWS instance from L2TP client. And check the result show on the CLI.
    "
  • adm
    adm Posts: 16
    First Comment
    I have to solve this issue in a couple of hours please

Security Highlight