| VPN tunnel built successfully but devices can not ping HI guys,
I have never worked on Zywall before, please help me to get the VPN issue sorted out.
The main site has Zywall 35 router and branch site has Zywall 10w. I created the VPN (gateway and network policy) in Zywall 35 and a rule in Zywall 10w. The Vpn tunnel shows connected and built successfully but I cannot ping either the routers from each other or from each other loacl network.
I used Static WAN on Zywall 35 main site and dynamic WAN at branch site.
The main ppurpose of this VPN was to use a NEC phone. The phone was conifgured for the same network as branch router Zywall 10 w. But its not working.
Can not ping and see the devices across the VPN tunnel however its connected. I would really appreciate if someone can guide me please. Its urgent as its for my angry customer.
Regards, |
|
| Make sure the hosts on that you want to reach on each side of the tunnel got a static route that points to the local ZyWALL for the remote LAN.
Thats usually the culprit in these situations
--
"Perl is executable line noise, Python is executable pseudo-code."
|
|
| Hi Thanks for your reply!
How? I din't get you  I already mentioned one side is dynamic.
Ho wcan I static route?
Regards |
|
| reply to granvil
Office A LAN
192.168.1.1 / 24
LAN ZyWALL = 192.168.1.1
Hosts = 192.168.1.2 - 254
Office B LAN
192.168.0.1 / 24
LAN ZyWALL = 192.168.0.1
Hosts = 192.168.0.2 - 254
All hosts on Office A LAN needs a static route that says
192.168.0.1/24 needs to be routed to 192.168.1.1
All hosts on Office B LAN needs a static router that says
192.168.1.1/24 needs to be routed to 192.168.0.1
This is valid if the ZyWALLs are not the default router on each LAN.
If the ZyWALLs are the default then this should not be necessary.
--
"Perl is executable line noise, Python is executable pseudo-code."
|
|
| reply to granvil
Pre-USG you do not need a static route for VPN connections. With the USG series you have to create a static route that points the remote subnet to the specific VPN tunnel.
If you are on all pre-USG gear, make sure you have the correct subnet mask defined for the "Remote Network" and "Local Network" on both routers in the Network Policy area assigned to the VPN. |
|
|
|
| On 35 ZYWall, the settings under VPN:
NAT transversal : checked
Gateway policy:
My IP: Static wan IP address for main site
Authetication key:
Pre-shared Key: xyz (same on the Zywall 10 wat branch site)
Local ID type: ip
Content: WAN ip of main site
peer id type: email
content: xyz@abc.com (same on branmcg Zywall)
Extended authentication
client mode
IKE ;
Negotation :aggressive
encryption:DES
Auth algo :MD5
SA LIFE TIME:28800
KEY GROUP:DH1
For network policy:
active:checked
allow NetBIOS broadcast traffic through IPSec tunnel: checked
check IP sec tunnel:checked (IP addrees of the Zywall for branch site)
local network : 192.168.1.0.
ending ip: 255.255.0.0
remote:
Starting up :0.0.0.0
ending up :0.0.0.0
IPsec propasal:
encap tunnel
active protocol :ESP
encry algo  ES
authen :MD5
Branch site:
local network
starting ip : 172.16.3.0
ending ip :255.255.0.0
remote site : 192.168.1.0
ending: 255.255.0.0
secure gateway is the Static WAN ip of main site
what i m doing wrong here,please guide
Regards, |
|
| You either need to change the remote IP from 0.0.0.0 to the subnet of the branch office, or you need to create a static route to send packets for the branch office over the VPN tunnel.
The remote IP of one site should match the local IP of the other site, and vice versa. |
|
| Hi Thanks for your reply,
I tried changing the Subnet on branch local as 0.0.0.0 which is remote on main site.Matching the subnet doesn't even connect my tunnel. and It throws an error that if there is dynamic rule you can't put 0.0.0.0.
I also tried to put the LAN ip 172.x.x.x. to match the local and remote subnet, but it not conncetign the tunnel
I am landing at nowhere 
Regards, |
|
2 edits | can someone help me here please
on main side zywall:
destination: 172.16.x.x (zywall ip of the remote side)
subnet.255.255.0.0
gateway :????
on branch side:
destination:Zywall Ip of main site
subnet:
gateway :?????
Regards, |
|
 BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:3 | Post screenshots from VPN setups from both routers. |
|
| here is for branch router |
|
1 edit | reply to granvil
1 |
|
2 edits | reply to granvil
here are the screen shots for main site 35 router |
|
| reply to granvil
Are both ZyWALLs the default gw for their LANs? |
|
BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:3 Reviews:
 ·Bell Fibe
| reply to granvil
OK, here's how I'd configure it:
SITE A
Negotiation mode: Main
Local LAN: 172.16.0.0 / 255.255.0.0 (SUBNET)
Remote LAN: 192.168.0.0 / 255.255.0.0 (SUBNET)
Pre-shared key: presharedkeysample
Local ID: e-mail
Content: email1@autosoft.com.au
Peer ID: e-mail
Content: email2@autosoft.com.au
My IP: 0.0.0.0
Secure Gateway IP: 202.129.83.176
SITE B
Negotiation mode: Main
Local LAN: 192.168.0.0 / 255.255.0.0 (SUBNET)
Remote LAN: 172.16.0.0 / 255.255.0.0 (SUBNET)
Pre-shared key: presharedkeysample
Local ID: e-mail
Content: email2@autosoft.com.au
Peer ID: e-mail
Content: email1@autosoft.com.au
My IP: 0.0.0.0
Secure Gateway IP: 0.0.0.0
Ensure the ALL of the the setting in IKE / IPSec are the same on both sides.
Change your pre-shared key since you've made this one public.
The e-mails in Authentication ID don't have to be real, they just need to match. |
|
