dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1427
share rss forum feed

vikino

join:2013-03-09

USG20-Accessing more subnets on remote IPSec site

Hello all,
i have VPN IPSec tunnel to other site where Kerio Control is running. Tunnel is working fine and on the remote site i can access on all subnets also with VPN client connected to Kerio.
I need to access all subnets also from network behind zywall,
my local subnet is 192.168.5.0/24, remote subnets are
192.168.1.0
192.168.3.0
192.168.126.0
172.10.10.0
all are with /24 mask
but i can reach only the subnet which is defined in Remote policy in VPN Connection of the tunnel on zywall, from remote site im able to reach 192.168.5.0 subnet olny from subnet which is in policy on zywall.
I've set up routing policies where
incoming-any,source-LAN1,Destination-remotesubnet1,next-hop-VPN Tunnel i created before,DSCP marking-none,SNAT-none

also tryied to set up policy where source was remote subnet, destination LAN1 next-hop was LAN1 interface.

when i do traceroute it goes to zywall and there it ends. Firewall on zywall is off.

I dont know what else i should try to get it working



superataru

join:2004-12-07
Kearny, NJ

Hi.
There are two settings:

1- gateway policy (point to point)
2 -connections policies.

You can have more connection policies for a single p-to-p gateway setting.

For USG to USG you need to declare outgoing policy route (snat = none).

For USG to not-USG declare policy routes in and out

say (minimal):
from LANx to RemLan1 ... Outgoing:TunnelX Snat:none
from IPSEC TunnelX to LANx Outgoing:LANx Snat None

Have a look on firewall policies (LAN to IPSEC adn viceversa).


vikino

join:2013-03-09
reply to vikino

Btw. when i do tracert to
192.168.1.1 is looks like this
1 1 ms 1 ms 1 ms 192.168.5.1
2 * * * Timed out.
3 5 ms 5 ms 5 ms 192.168.1.1
but... 192.168.5.1 is Zywall and 192.168.1.1 Kerio
between them is IPSec tunnel...
strange why there are 3 hops and the second is nothing...

Expand your moderator at work

vikino

join:2013-03-09

2 edits
reply to superataru

Re: USG20-Accessing more subnets on remote IPSec site

Click for full size
Click for full size
Click for full size
Click for full size
Hi again,
i've tryied like this...
doesnt work :-/ i can reach only the 192.168.1.0 subnet, the Vikino_VPN_Subnet is 192.168.2.0/24
when i set in VPN Connection remote policy to Vikino_VPN_Subnet i can reach this one but not the 192.168.1.0...
and the last one is error from log...what is wrong?