dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed



USG20-Accessing more subnets on remote IPSec site

Hello all,
i have VPN IPSec tunnel to other site where Kerio Control is running. Tunnel is working fine and on the remote site i can access on all subnets also with VPN client connected to Kerio.
I need to access all subnets also from network behind zywall,
my local subnet is, remote subnets are
all are with /24 mask
but i can reach only the subnet which is defined in Remote policy in VPN Connection of the tunnel on zywall, from remote site im able to reach subnet olny from subnet which is in policy on zywall.
I've set up routing policies where
incoming-any,source-LAN1,Destination-remotesubnet1,next-hop-VPN Tunnel i created before,DSCP marking-none,SNAT-none

also tryied to set up policy where source was remote subnet, destination LAN1 next-hop was LAN1 interface.

when i do traceroute it goes to zywall and there it ends. Firewall on zywall is off.

I dont know what else i should try to get it working


Kearny, NJ
There are two settings:

1- gateway policy (point to point)
2 -connections policies.

You can have more connection policies for a single p-to-p gateway setting.

For USG to USG you need to declare outgoing policy route (snat = none).

For USG to not-USG declare policy routes in and out

say (minimal):
from LANx to RemLan1 ... Outgoing:TunnelX Snat:none
from IPSEC TunnelX to LANx Outgoing:LANx Snat None

Have a look on firewall policies (LAN to IPSEC adn viceversa).


reply to vikino
Btw. when i do tracert to is looks like this
1 1 ms 1 ms 1 ms
2 * * * Timed out.
3 5 ms 5 ms 5 ms
but... is Zywall and Kerio
between them is IPSec tunnel...
strange why there are 3 hops and the second is nothing...
Expand your moderator at work



2 edits
reply to superataru

Re: USG20-Accessing more subnets on remote IPSec site

Click for full size
Click for full size
Click for full size
Click for full size
Hi again,
i've tryied like this...
doesnt work :-/ i can reach only the subnet, the Vikino_VPN_Subnet is
when i set in VPN Connection remote policy to Vikino_VPN_Subnet i can reach this one but not the
and the last one is error from log...what is wrong?