USG 100 VPN Troubles - dslreports.com

SmurfLurf join:2007-12-18 Whittier, CA	reply to mudtoe Re: USG 100 VPN Troubles said by mudtoe : said by bbarrera : policy routes are the key to solving many issues on USG series. Do the policy routes make completely obsolete the IP addresses in the VPN definitions themselves if you are using two USG series routers for the VPN? What I mean is can you route any traffic you want through the tunnel by using policy routes, even if the addresses involved were not explicitly defined in the VPN definition? mudtoe That's correct. You can force any traffic you like through the VPN tunnel, but it will only be passed if the checkbox for 'Policy Enforcement' is not checked. Of course you'll need additional policy routes in place to direct the traffic.
	to forum · permalink · · 2009-07-07 16:09:55 ·
mudtoe join:2005-10-09 Cleveland, OH	reply to bbarrera said by bbarrera : policy routes are the key to solving many issues on USG series. Do the policy routes make completely obsolete the IP addresses in the VPN definitions themselves if you are using two USG series routers for the VPN? What I mean is can you route any traffic you want through the tunnel by using policy routes, even if the addresses involved were not explicitly defined in the VPN definition? mudtoe
	to forum · permalink · · 2009-07-04 19:34:42 ·
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA clubs:	reply to mudtoe policy routes are the key to solving many issues on USG series.
	to forum · permalink · · 2009-07-03 21:04:10 ·
mudtoe join:2005-10-09 Cleveland, OH	reply to mudtoe I tried the changes at the customer site after implementing policy routes for the VPN, and it worked just fine. Also, as an FYI, if you want to be able to test the tunnel with pings from the Zywall itself, you have to add a separate policy route for the Zywall (and a firewall rule), which is why it wasn't working when I tried pinging through the VPN via an SSH session to the Zywall. Thanks all for the assistance. mudtoe
	to forum · permalink · · 2009-07-03 19:43:56 ·
mudtoe join:2005-10-09 Cleveland, OH	reply to bbarrera said by bbarrera : ...practically EVERYTHING on USG is controlled by policy routes, even stuff you would expect to work using the static routes setup by interfaces. Its a painful but true, and the original beta testers were ignored. That said the USG (ZLD Linux based) is overall much better than original Zywall (ZyNOS based) It seems like they have made things much more complicated. I suppose that there is more flexibility, but the documentation leaves a WHOLE LOT to be desired with regard to explaining how all these options interact with each other, and supplying some common configuration setup examples. I do believe that you are right in that I should go back to the customer's site and try to resolve this by using a PC on their lan rather than trying to just use the USG100 routers themselves as ping points. That would eliminate any goofy things regarding the router as an endpoint, like the swDevTri thing for the Z35 that was mentioned above. mudtoe
	to forum · permalink · · 2009-06-26 01:34:10 ·
mudtoe join:2005-10-09 Cleveland, OH	reply to Brano said by Brano : If you're pinging from Z35 pings do not enter VPN tunnel unless you have swDevTri turned on, see »Re: Zywall syslog I remember that, as I was part of the thread you linked to. I wasn't pinging from the Z35, I was pinging from both of the USG 100's because they are at the customer's site and I don't have ready access to a machine on their lan; I just have access to the USG 100 routers. The Z35 is my network router, and I was using machines on my own lan to do the ping's instead of doing them from the Z35. I wasn't able to find anything similar to swDevTri in the USG100 documentation. I may have to go back to the customer's site and try resolving this using one of their Lan PCs rather than the router, as bbarrera suggested.
	to forum · permalink · · 2009-06-26 01:27:19 ·
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA clubs: ·SureWest Internet	reply to mudtoe you should ping between LAN computers, there are routerOS and firmware dependent issues when doing so from CLI. practically EVERYTHING on USG is controlled by policy routes, even stuff you would expect to work using the static routes setup by interfaces. Its a painful but true, and the original beta testers were ignored. That said the USG (ZLD Linux based) is overall much better than original Zywall (ZyNOS based)
	to forum · permalink · · 2009-06-25 19:58:06 ·
Brano I hate Vogons Premium,MVM join:2002-06-25 Burlington, ON ·TekSavvy Solutions..	reply to mudtoe For complete guide to CLI see »ftp://ftp.zyxel.com/ZYWALL_USG_100/cli···00_2.pdf If you're pinging from Z35 pings do not enter VPN tunnel unless you have swDevTri turned on, see »Re: Zywall syslog
	to forum · permalink · · 2009-06-25 19:50:02 ·
mudtoe join:2005-10-09 Cleveland, OH	reply to Brano said by Brano : That's the thing. In ZyNOS VPN routing is done by VPN policy, in ZLD you have to specify routing explicitly. The VPN Wizard should help you, alternatively post your routing table here. I'm sure that had something to do with it, as I created the VPNs manually. I went back and used the wizard to make a new VPN, which created some route policies, and now I can ping from a machine behind the Z35 to the USG 100, but I can't ping back (I'm using the SSH interface on the USG 100 to do the pings back to the Z35, so if the router itself is in a different zone, perhaps that's the problem, but I can't tell what interface it's using to generate it's pings.) Is there a way through the command line interface to get a whole routing table printed with actual IP addresses? All the things I've tried simply give me all those neat alias names that the USG 100 creates for everything, rather than a whole routing table, so it would be difficult for me to post something that looks coherent using just the aliases. mudtoe
	to forum · permalink · · 2009-06-25 18:31:20 ·
Brano I hate Vogons Premium,MVM join:2002-06-25 Burlington, ON ·TekSavvy Solutions..	reply to mudtoe said by mudtoe : It's almost as if the routing table in the routers isn't putting the VPN routes in place. That's the thing. In ZyNOS VPN routing is done by VPN policy, in ZLD you have to specify routing explicitly. The VPN Wizard should help you, alternatively post your routing table here.
	to forum · permalink · · 2009-06-25 15:28:44 ·
Anav Sarcastic Llama? Naw, Just Acerbic Premium join:2001-07-16 Dartmouth, NS	reply to mudtoe Wish I could be of help but the USG series are a totally diff animal from the zywall series.
	to forum · permalink · · 2009-06-25 15:04:20 ·
mudtoe join:2005-10-09 Cleveland, OH	Hi folks: I'm having some trouble with two USG 100 routers I'm trying to install for a customer. For whatever reason I'm unable to get the VPNs to work. I've configured dozens of Z5's Z35's, etc. without problems, but I'm stumped on these. I configure the VPN, it comes up, but no traffic will ever route through the VPN; I've tried disabling the firewall, just to make sure it's not that, and still no go. I also configured both the routers (they are in separate offices of the customer), to connect via VPN to my Z35 at my place, and the same issue occurs on both; the VPN comes up, but no traffic ever flows. I'm using the latest firmware on the USG 100's. It's almost as if the routing table in the routers isn't putting the VPN routes in place. Suggestions welcome. mudtoe
	to forum · permalink · · 2009-06-25 14:39:16 ·


Monday, 30-Nov 13:00:58	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF