dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1166
share rss forum feed

mikidg1984

join:2013-03-17

Usg20 site-to-site ipsec behind nat

Hello,
My goal is to connect 2 office by an ipsec tunnel.

The scenario is:

Office A network-Usg20-ADSL Router---Internet---ADSL Router-Usg20-Office B network.

I'm going ahead step by step.
First I have created a network test by connecting the two wan of the zyxel Usg20 on my home network to improve my ipsec knowledgement and I have reaced the goal.

Then I have put 2 Linksys rvl200 between the two usg20 to simulate the adsl router.
I have changed the ipsec configuration and I have forwarded all TCP&UDP port from the linksys to the usg20 and enabled the vpn-passthrough on both side but no tunnel come up.

I put a log on the firewall of the linksys and I see the IKE 500 packet coming from office A passing by the linksys to the usg20 of the Office B but no packet I have logged on Office B usg20.

Any Idea??
thanks...



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

There's fully documented how-to in the USG user guide or you can use the VPN setup wizard.

One recommendation: Make sure you set the ADSL-modems into bridging mode and get the USG20 a public IP to it's WAN interface.
Doing NAT and port forwarding on the ADSL modem is going to make your hair grey.


mikidg1984

join:2013-03-17
reply to mikidg1984

Thanks for your help....
I configured the two routers as explained in my post and it's work fine.
In my test I did not see the incoming ike packets from the other usg-20 so I assumed that the problem was on the Linksys....

Your recommendation is right but the ADSL-modems are loaned for use and I think it is not possible to do by its proprietary firmware.

thank you very much for the help....



superataru

join:2004-12-07
Kearny, NJ

Hi.
Usually, if WAN ifaces have public IP there are not problem to start the process, if ISP is not stopping 500 UDP or USG is behind a device listening to same port.
If USG is behind a NAT, usually you can work around with a port forwarding (as Brano said).
Sometimes, we choose the wrong listening interface, in gateway policy for each USG.