santtu
@elisa-laajakaista.fi
| SPI:0x0 SEQ:0x0 No rule found, Dropping packet
Hi guys,
We have IPSec VPN tunnel between two offices, the remote office has ZW5 and our office new USG-100. Our office does not have any servers etc. and we are using resources of remote office (AD, file server, DNS). I am wondering what kind of rule is missing because we get constant errors to USG-100 logs:
error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet 10.22.19.1:33496 10.22.15.10:53 IPsec
The 10.22.19.1 is USG-100 LAN address, and 10.22.15.10 is DNS server of remote office. It looks like USG-100 is blocking all DNS queries to remote office when the query originates from USG-100 itself. However, DNS works when queries originate from our computers in LAN.
We have policy route definition:
lan1 LAN1_SUBNET RemoteLAN_SUBNET any RemoteNetwork none
and when I tried to create similar policy route but replacing incoming interface lan1 with "Zywall", that did not help.
Any ideas or tips?
Thanks,
Santtu |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON | It depends how are your routes setup on USG.
Post a screenshot. |
|
santtu
@elisa-laajakaista.fi
| Thanks Brano for your answer.
The only policy routes (in addition to USG default WAN TRUNK routes) we have added are:
(fields: Incoming, Source, Destination, Service, Next-hop, Snat)
lan1 LAN1_SUBNET RemoteLAN_SUBNET any RemoteNetwork none
lan1 LAN1_SUBNET Remote2LAN_SUBNET any Remote2Network none
Address definitions are:
LAN1_SUBNET INTERFACE SUBNET lan1-10.22.19.0/24
RemoteLAN_SUBNET SUBNET 10.22.15.0/24
Remote2LAN_SUBNET SUBNET 10.22.10.0/24
Should I make another rule for "Zywall to remote lan"? Looks like LAN1_SUBNET is only for packets coming into Zywall LAN interface, but not from Zywall itself?
BR,
Santtu |
|
