dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2333
share rss forum feed

Whizzingdonk

join:2013-06-07

Zywall USG 20 IPSEC Site to Site

Hi

I currently have a ipsec site to site VPN setup between a USG20 and TPlink TD-W8970 Router. The VPN connection is up at both ends. I am able to browse network shares located at the tplink site and ping address behind the USG20 from tplink site. The problem is, when trying to access web sites (Router mangement etc) that are located on the USG20 network, yet I am able to ping devices behind it from the tplink site.

Any help appreciated!



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

On USG in VPN -> IPSec VPN -> VPN Connection check the "Ignore "Don't Fragment" setting in IP header" and see if it helps. Even if it doesn't help keep it checked.


Whizzingdonk

join:2013-06-07

Many Thanks! That has sorted it.

The only interface i'm unable to access now if the zywall itself. Ive added an accept all rule in the settings->WWW but i'm unable access the interface over the VPN, but can access it over the internet.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

You need to add IPsec_VPN to ZyWALL firewall rule.


Whizzingdonk

join:2013-06-07

Firewall is off!



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

2 edits

OK, next step check "WWW Admin Service Control" is allowed from ANY or IPSec_VPN.
Also double check you policy routing.


Whizzingdonk

join:2013-06-07

Hi

The admin service control is set to ALL and accept. The "Routing->Policy Route" is empty. Didn't think anything was needed in here, as the routing between the two sites is working, accept for access to the Zywall from the remote site.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

I wouldnt be surprized if you need a policy route to tell the router where to send the zywall to remote site desired connectivity, it wont get there if you dont instruct the router accordingly


Whizzingdonk

join:2013-06-07

Thanks, may I ask what would the policy be?

Also Would I need the "Use Policy Route to control dynamic IPSec rules" checked in the VPN->IPSec settings?

Thanks for the help.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Not sure about your exact setup, but for mine IPSec site to site I had to add policy route for each VPN.

Incoming: Any, Source Any, Destination: remote_LAN, Next Hop: VPN tunnel for remote LAN.


Whizzingdonk

join:2013-06-07

The Policy Route unfortunately had no effect. But I have found I am able to SSH into the Zywall from the remote site! Still no https access tho!



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Well if you can ssh in then you have remote access. You just have http blocked either by firewall or www service.
It may also be that your browser is not letting you in due to un-trusted certificate.