mudtoe
join:2005-10-09
Cleveland, OH
| reply to Brano
Re: USG 100 VPN Troubles
said by Brano  :That's the thing. In ZyNOS VPN routing is done by VPN policy, in ZLD you have to specify routing explicitly. The VPN Wizard should help you, alternatively post your routing table here. I'm sure that had something to do with it, as I created the VPNs manually. I went back and used the wizard to make a new VPN, which created some route policies, and now I can ping from a machine behind the Z35 to the USG 100, but I can't ping back (I'm using the SSH interface on the USG 100 to do the pings back to the Z35, so if the router itself is in a different zone, perhaps that's the problem, but I can't tell what interface it's using to generate it's pings.) Is there a way through the command line interface to get a whole routing table printed with actual IP addresses? All the things I've tried simply give me all those neat alias names that the USG 100 creates for everything, rather than a whole routing table, so it would be difficult for me to post something that looks coherent using just the aliases.
mudtoe |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
 ·TekSavvy Solutions..
| For complete guide to CLI see »ftp://ftp.zyxel.com/ZYWALL_USG_100/cli···00_2.pdf
If you're pinging from Z35 pings do not enter VPN tunnel unless you have swDevTri turned on, see »Re: Zywall syslog |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
·SureWest Internet
| reply to mudtoe
you should ping between LAN computers, there are routerOS and firmware dependent issues when doing so from CLI.
practically EVERYTHING on USG is controlled by policy routes, even stuff you would expect to work using the static routes setup by interfaces. Its a painful but true, and the original beta testers were ignored. That said the USG (ZLD Linux based) is overall much better than original Zywall (ZyNOS based) |
|
mudtoe
join:2005-10-09
Cleveland, OH
| reply to Brano
said by Brano :If you're pinging from Z35 pings do not enter VPN tunnel unless you have swDevTri turned on, see » Re: Zywall syslog I remember that, as I was part of the thread you linked to. I wasn't pinging from the Z35, I was pinging from both of the USG 100's because they are at the customer's site and I don't have ready access to a machine on their lan; I just have access to the USG 100 routers. The Z35 is my network router, and I was using machines on my own lan to do the ping's instead of doing them from the Z35. I wasn't able to find anything similar to swDevTri in the USG100 documentation. I may have to go back to the customer's site and try resolving this using one of their Lan PCs rather than the router, as bbarrera suggested. |
|
mudtoe
join:2005-10-09
Cleveland, OH
| reply to bbarrera
said by bbarrera :...practically EVERYTHING on USG is controlled by policy routes, even stuff you would expect to work using the static routes setup by interfaces. Its a painful but true, and the original beta testers were ignored. That said the USG (ZLD Linux based) is overall much better than original Zywall (ZyNOS based) It seems like they have made things much more complicated. I suppose that there is more flexibility, but the documentation leaves a WHOLE LOT to be desired with regard to explaining how all these options interact with each other, and supplying some common configuration setup examples.
I do believe that you are right in that I should go back to the customer's site and try to resolve this by using a PC on their lan rather than trying to just use the USG100 routers themselves as ping points. That would eliminate any goofy things regarding the router as an endpoint, like the swDevTri thing for the Z35 that was mentioned above.
mudtoe |
|
mudtoe
join:2005-10-09
Cleveland, OH
| I tried the changes at the customer site after implementing policy routes for the VPN, and it worked just fine. Also, as an FYI, if you want to be able to test the tunnel with pings from the Zywall itself, you have to add a separate policy route for the Zywall (and a firewall rule), which is why it wasn't working when I tried pinging through the VPN via an SSH session to the Zywall.
Thanks all for the assistance.
mudtoe |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | policy routes are the key to solving many issues on USG series. |
|
mudtoe
join:2005-10-09
Cleveland, OH
| said by bbarrera :policy routes are the key to solving many issues on USG series. Do the policy routes make completely obsolete the IP addresses in the VPN definitions themselves if you are using two USG series routers for the VPN? What I mean is can you route any traffic you want through the tunnel by using policy routes, even if the addresses involved were not explicitly defined in the VPN definition?
mudtoe |
|
SmurfLurf
join:2007-12-18
Whittier, CA
| said by mudtoe :said by bbarrera :policy routes are the key to solving many issues on USG series. Do the policy routes make completely obsolete the IP addresses in the VPN definitions themselves if you are using two USG series routers for the VPN? What I mean is can you route any traffic you want through the tunnel by using policy routes, even if the addresses involved were not explicitly defined in the VPN definition? mudtoe That's correct. You can force any traffic you like through the VPN tunnel, but it will only be passed if the checkbox for 'Policy Enforcement' is not checked. Of course you'll need additional policy routes in place to direct the traffic. |
|
