republican-creole	site Search:
login · register

	All Forums		Hot Topics		Gallery

how-to block ads

Equipment Support > Hardware By Brand > ZyXEL > VPN Tunnel - Accesing remote side servers from USG device.

Uniqs:
491

Share Topic

Author	All Replies
gadulowaty join:2012-01-06 Poland	VPN Tunnel - Accesing remote side servers from USG device. Hi guys, i am looking for some assitance and help with configuring vpn tunnel between USG200 and USG20W. Schema of network is as below: REMOTE OFFICE MAIN OFFICE 192.168.16.0/24 / INTERNET / 192.168.0.0/24 /RADIUS Server: 192.168.0.5/ \|WIFI with WPA2-Enterprise\| I have successfully build VPN tunel between remote office and main office. Computers on each side can access each other. Only one problem is USG20W at REMOTE OFFICE, I need to setup Wireless with security level set to WPA2-Enterprise with Radius server located at MAIN Office site, but USG20W cannot access any host located on main office network side (so radius server is also unreachable). I checked by logging into USG20W SSH that if I execute ping or trace command to Radius server (192.168.0.5) all packets are routed thorough WAN connection and command result is as follow: Router> ping 192.168.0.5 PING 192.168.0.5 (192.168.0.5) 56(84) bytes of data. From xx.xx.xx.xxx icmp_seq=1 Destination Host Unreachable From xx.xx.xx.xxx icmp_seq=2 Destination Host Unreachable From xx.xx.xx.xxx icmp_seq=3 Destination Host Unreachable /Where xx.xx.xx.xxx is next hop to internet./ I susspect that problem is that packets outgoing from USG are not router through VPN Tunnel but are send through default gateway not encrypted so I added Policy Route: INCOMING SOURCE DESTINATION DSCP CODE SERVICE NEXT-HOP DSCP SNAT BWM ---------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ZyWALL any NET:192.168.0.0/24 any any VPN Tunnel Preserve none 0 After that result of ping command is as follows: Router> ping 192.168.0.5 PING 192.168.0.5 (192.168.0.5) 56(84) bytes of data. --- 192.168.0.5 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2016ms I feel that i am missing something. Any help will be very appreciated. Gadulowaty PS. I also need to mention that: 1. "Use Policy Route to Override Direct Route" is SET (CONFIGURATION->NETWORK->ROUTING) 2. "Use Policy Route to control dynamic IPSec rules" is SET (CONFIGURATION->VPN->IPSEC VPN->VPN Connection)
gadulowaty join:2012-01-06 Poland	to forum · permalink · 2012-02-07 08:31:22 ·
gadulowaty join:2012-01-06 Poland	Made some progress.... Hi again, I made some progress in tracing the source of problem, I run packet capturing on main office site zywall and than run whireshark. Results are that packets from remote site shows on local lan interface of ZyWALL-OFFICE but have wrong source ip. The ip address of those packets are WAN ip address of Zywall in REMOTE OFFICE so sample request-response of ICMP traffice from whireshark looks like this: No. Time Source Destination Protocol Length Info ---------------------------------------------------------------------------------- ------------------------------------------------------ 1256 1.572297 xxx.xx.xxx.xxx 192.168.0.5 ICMP 170 Echo (ping) request id=0x378f, seq=120/30720, ttl=62 1264 1.574628 192.168.0.5 xxx.xx.xxx.xxx ICMP 170 Echo (ping) reply id=0x378f, seq=120/30720, ttl=128 ---------------------------------------------------------------------------------- ------------------------------------------------------ Where xxx.xx.xxx.xxx is WAN interface address of Zywall USG20W at REMOTE OFFICE. So my conclusion is that this packet is not matching ip policy at OFFICE SITE which is LOCAL:192.168.0.0/24REMOTE:192.168.16.0/24 so that packet is not pushed into VPN Tunnel when arrving to Zywall-OFFICE on LAN interface I tried to add rule on REMOTE Zyxel to SNAT Packet outgoing from that device to OFFICE net through VPN tunnel but this ended with error: CLI Number: 8 Error Number: -28046 Error Message: 'Set "snat" of Policy Route rule has failed.' Any ideas how to change that behaviour ? Somebody ? Gadulowaty
gadulowaty join:2012-01-06 Poland	to forum · permalink · 2012-02-07 09:07:31 ·
gadulowaty join:2012-01-06 Poland	Found working solution Hi, for anybody who may encounter similar problem I want to share with solution for this problem. In CONFIGURATION->VPN->IP Sec VPN->VPN Connection on side which want you to access remote servers. 1. Select defined connection and edit. 2. Click Show advanced settings. 3. Go to the bottom to section: Inbound/Outbound traffic NAT 4. Define SNAT for inbound/outbound traffic: EXAMPLE (as in my net) a. outbound Source NAT SET to cheched Source: [WAN IP of ZyWALL] xxx.xxx.xxx.xxx Destination: [SUBNET on remote site] 192.168.0.0/24 SNAT: [LAN IP of ZyWALL] 192.168.16.254 b. inbound Source NAT SET to cheched Source: [SUBNET on remote site] 192.168.0.0/24 Destination: [LAN IP of ZyWALL] 192.168.16.254 SNAT: [WAN IP of ZyWALL] xxx.xxx.xxx.xxx That's all. Now ping traverse vpn tunnel.
gadulowaty join:2012-01-06 Poland	to forum · permalink · 2012-02-07 10:09:12 ·
Anav Sarcastic Llama? Naw, Just Acerbic Premium join:2001-07-16 Dartmouth, NS kudos:3	SNAT settings seem to rear their ugly head wherever one triapses on the USG.
	to forum · permalink · 2012-02-07 11:31:10 ·

Forums > Equipment Support > Hardware By Brand > ZyXEL

Sunday, 03-Jun 13:34:15

Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.

Most commented news this week

Hot Topics

Thought I'd pass along this handy tip... [Home Improvement]