andremta
join:2009-09-24
portugal
| VPN: Cannot ping LAN
Hi guys! Can someone please help me? This is kinda urgent.
I'm new to ZyWall USG 300, as so, I have an issue:
I have the firmware 2.12 and I've configured the VPN IPSEC/L2TP according to the manual.
Configurations seemed fine, I was able to connect to the router/vpn. Although I cannot ping LAN devices (nor WAN). I try to disable the firewall but is pretty much the same. I added the routing policy described in the page 441 (2.12 manual).
I'm able to ping the router IP, and nothing else. |
|
andremta
join:2009-09-24
portugal | Guys,
Here's a screenshot of my Route Policies. Please ignore disabled routes.
 |
|
fox7
join:2001-02-12
Culver City, CA
| reply to andremta
andremta:
Ok, I took a quick look at it. By what you are saying about not being able to ping the LAN, I refer to page 432 in your manual about 'Policy Route'. You should configure the Policy route and make sure that the L2TP_POOL of IPs is NOT in the Scope/Range of the LAN's IPs. OK???
That is a place to start to see what it up.
What are you using at the other end of the tunnel, opposite to the USG 300??
fox7 |
|
andremta
join:2009-09-24
portugal
| fox7:
Thanks for you reply!
I'm using to access the VPN a Windows XP with its default VPN connection client configured as described in the manual.
My LAN: 192.168.1.1 ~ 254 (DHCP from 192.168.1.30 ~ .254)
VPN: 192.168.1.11 ~ 19
What you mean is that the L2TP_POOL cannot be in the LAN's range?
I'm not able to ping LAN only when I'm connected to the VPN. From LAN to LAN everything is OK. |
|
fox7
join:2001-02-12
Culver City, CA
1 edit | reply to andremta
Bingo, Bango!!!!
You are using 192.168.1.x in you LAN. You must use a different Subnet in the L2TP_Pool, i.e. 192.168.N.X where N is any number up to 254 that is NOT 1 (one). Using the number 1 there puts it in the same Subnet. A no-no!!
That is what I meant by same Scope/Range, i.e same Subnet.
After changing try and ping an IP on the LAN.
Also with Zywall there is a user interface page that is called something like VPN 'Monitor' page. That will confirm that you have a VPN connection. Is that page declaring that??
fox7
Edit:
Page 437 in the Manual. Notice the different IP Subnets used in the LAN and the L2TP_POOL. |
|
andremta
join:2009-09-24
portugal
| fox7:
I tried another subnet (192.168.10.1 ~ 10) and was pretty much the same!
Once, I configured this router's VPN successfully with the previous VPN Pool, although I had to configure it from scratch again and the previous configuration backup it's not supported with this new firmware.
It must be something else! I tried with the firewall disabled, it's the same! It must be some route policy that I'm missing...
|
|
fox7
join:2001-02-12
Culver City, CA
| reply to andremta
Well, ok, let's try some more things.
Is the WAN IP address of the Zywall a static IP?? (A permanent IP assigned by your ISP.)
Did you enter that IP address in, I refer to page 439 in the manual, where it says "For the Local Policy,..... " And 0.0.0.0 for the Remote Policy????
fox7 |
|
jdmt
Premium
join:2002-05-06
Seattle, WA
| reply to andremta
Just a shot in the dark, but if you're able to ping the gateway IP address, I'm wondering if the machine you're attempting to connect to has it's firewall configured to reject conenctions from IP address outside of it's own subnet? This was an issue for me on a Vista machine - I had to explicitly allow connections from the remote subnet. This is expecially true for ICMP in the Windows firewall, since it is fairly restrictive by default.
A quick way to test this would be to temporarilly disable the firewall on the machine you're trying to ping (if it's on that is) and test it - if it works, then you know you've found the issue. |
|
andremta
join:2009-09-24
portugal
1 edit | reply to fox7
fox7:
I get the WAN IP from ISPs DHCP but it's a static IP.
Yes!
 |
|
andremta
join:2009-09-24
portugal | reply to jdmt
jdmt:
I think I had the firewall disabled (both sides) but I'll try that again and I'll get back to you. (I was trying it with XP) |
|
andremta
join:2009-09-24
portugal
1 edit | reply to andremta
Guys,
This is weird... after connecting to the VPN, I can browse the internet with my NAT IP (from router).
Although I can only ping the router from the LAN, no other LAN-SUBNET devices!
This is weird! It must be for rule some rule that I'm missing... any suggestion?
Brano, you always have cool suggestions? Where are you?  |
|
andremta
join:2009-09-24
portugal
| reply to andremta
Guys,
I have the answer for my problem... this is so lame, but my home router IP was the same as the VPN's remote route. As so, this lead to all the traffic to the VPN's LANsubnet to be sent through the home route.
I changed my home router subnet from 192.168.1.0 to 192.168.100.0 and the problem got fixed! |
|
fox7
join:2001-02-12
Culver City, CA | reply to andremta
andremta:
Cool!!!! I have been really busy and finally got a chance to get back to the forums and am glad you got her going.
Congratulations!!
fox7 |
|
