Re: USG 100 VPN Troubles - dslreports.com

Author	All Replies
mudtoe join:2005-10-09 Cleveland, OH	reply to bbarrera Re: USG 100 VPN Troubles said by bbarrera : ...practically EVERYTHING on USG is controlled by policy routes, even stuff you would expect to work using the static routes setup by interfaces. Its a painful but true, and the original beta testers were ignored. That said the USG (ZLD Linux based) is overall much better than original Zywall (ZyNOS based) It seems like they have made things much more complicated. I suppose that there is more flexibility, but the documentation leaves a WHOLE LOT to be desired with regard to explaining how all these options interact with each other, and supplying some common configuration setup examples. I do believe that you are right in that I should go back to the customer's site and try to resolve this by using a PC on their lan rather than trying to just use the USG100 routers themselves as ping points. That would eliminate any goofy things regarding the router as an endpoint, like the swDevTri thing for the Z35 that was mentioned above. mudtoe
mudtoe join:2005-10-09 Cleveland, OH	to forum · permalink · · 2009-06-26 01:34:10 ·
mudtoe join:2005-10-09 Cleveland, OH	I tried the changes at the customer site after implementing policy routes for the VPN, and it worked just fine. Also, as an FYI, if you want to be able to test the tunnel with pings from the Zywall itself, you have to add a separate policy route for the Zywall (and a firewall rule), which is why it wasn't working when I tried pinging through the VPN via an SSH session to the Zywall. Thanks all for the assistance. mudtoe
mudtoe join:2005-10-09 Cleveland, OH	to forum · permalink · · 2009-07-03 19:43:56 ·
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA clubs:	policy routes are the key to solving many issues on USG series.
	to forum · permalink · · 2009-07-03 21:04:10 ·
mudtoe join:2005-10-09 Cleveland, OH	said by bbarrera : policy routes are the key to solving many issues on USG series. Do the policy routes make completely obsolete the IP addresses in the VPN definitions themselves if you are using two USG series routers for the VPN? What I mean is can you route any traffic you want through the tunnel by using policy routes, even if the addresses involved were not explicitly defined in the VPN definition? mudtoe
mudtoe join:2005-10-09 Cleveland, OH	to forum · permalink · · 2009-07-04 19:34:42 ·
SmurfLurf join:2007-12-18 Whittier, CA	said by mudtoe : said by bbarrera : policy routes are the key to solving many issues on USG series. Do the policy routes make completely obsolete the IP addresses in the VPN definitions themselves if you are using two USG series routers for the VPN? What I mean is can you route any traffic you want through the tunnel by using policy routes, even if the addresses involved were not explicitly defined in the VPN definition? mudtoe That's correct. You can force any traffic you like through the VPN tunnel, but it will only be passed if the checkbox for 'Policy Enforcement' is not checked. Of course you'll need additional policy routes in place to direct the traffic.
SmurfLurf join:2007-12-18 Whittier, CA	to forum · permalink · · 2009-07-07 16:09:55 ·


Monday, 30-Nov 15:55:13	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF