Re: USG 100 VPN Troubles - dslreports.com

Author	All Replies
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA clubs: ·SureWest Internet	reply to mudtoe Re: USG 100 VPN Troubles you should ping between LAN computers, there are routerOS and firmware dependent issues when doing so from CLI. practically EVERYTHING on USG is controlled by policy routes, even stuff you would expect to work using the static routes setup by interfaces. Its a painful but true, and the original beta testers were ignored. That said the USG (ZLD Linux based) is overall much better than original Zywall (ZyNOS based)
	to forum · permalink · · 2009-06-25 19:58:06 ·
mudtoe join:2005-10-09 Cleveland, OH	said by bbarrera : ...practically EVERYTHING on USG is controlled by policy routes, even stuff you would expect to work using the static routes setup by interfaces. Its a painful but true, and the original beta testers were ignored. That said the USG (ZLD Linux based) is overall much better than original Zywall (ZyNOS based) It seems like they have made things much more complicated. I suppose that there is more flexibility, but the documentation leaves a WHOLE LOT to be desired with regard to explaining how all these options interact with each other, and supplying some common configuration setup examples. I do believe that you are right in that I should go back to the customer's site and try to resolve this by using a PC on their lan rather than trying to just use the USG100 routers themselves as ping points. That would eliminate any goofy things regarding the router as an endpoint, like the swDevTri thing for the Z35 that was mentioned above. mudtoe
	to forum · permalink · · 2009-06-26 01:34:10 ·
mudtoe join:2005-10-09 Cleveland, OH	I tried the changes at the customer site after implementing policy routes for the VPN, and it worked just fine. Also, as an FYI, if you want to be able to test the tunnel with pings from the Zywall itself, you have to add a separate policy route for the Zywall (and a firewall rule), which is why it wasn't working when I tried pinging through the VPN via an SSH session to the Zywall. Thanks all for the assistance. mudtoe
	to forum · permalink · · 2009-07-03 19:43:56 ·
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA clubs:	policy routes are the key to solving many issues on USG series.
	to forum · permalink · · 2009-07-03 21:04:10 ·
mudtoe join:2005-10-09 Cleveland, OH	said by bbarrera : policy routes are the key to solving many issues on USG series. Do the policy routes make completely obsolete the IP addresses in the VPN definitions themselves if you are using two USG series routers for the VPN? What I mean is can you route any traffic you want through the tunnel by using policy routes, even if the addresses involved were not explicitly defined in the VPN definition? mudtoe
	to forum · permalink · · 2009-07-04 19:34:42 ·
SmurfLurf join:2007-12-18 Whittier, CA	said by mudtoe : said by bbarrera : policy routes are the key to solving many issues on USG series. Do the policy routes make completely obsolete the IP addresses in the VPN definitions themselves if you are using two USG series routers for the VPN? What I mean is can you route any traffic you want through the tunnel by using policy routes, even if the addresses involved were not explicitly defined in the VPN definition? mudtoe That's correct. You can force any traffic you like through the VPN tunnel, but it will only be passed if the checkbox for 'Policy Enforcement' is not checked. Of course you'll need additional policy routes in place to direct the traffic.
	to forum · permalink · · 2009-07-07 16:09:55 ·


Tuesday, 01-Dec 14:29:50	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF