VPN: Cannot ping LAN
Links: home · search · speed test · login · more ·
 
Links: Reply New Topic
Forums » Hardware By Brand » ZyXEL » VPN: Cannot ping LAN

andremta @ 17th Oct 12:26PM:
VPN: Cannot ping LAN

Hi guys! Can someone please help me? This is kinda urgent.

I'm new to ZyWall USG 300, as so, I have an issue:

I have the firmware 2.12 and I've configured the VPN IPSEC/L2TP according to the manual.

Configurations seemed fine, I was able to connect to the router/vpn. Although I cannot ping LAN devices (nor WAN). I try to disable the firewall but is pretty much the same. I added the routing policy described in the page 441 (2.12 manual).

I'm able to ping the router IP, and nothing else.
reply
andremta @ 18th Oct 11:27AM:
Re: VPN: Cannot ping LAN

Guys,

Here's a screenshot of my Route Policies. Please ignore disabled routes.


reply
fox7 @ 21st Oct 08:32PM:
Re: VPN: Cannot ping LAN

andremta:
Ok, I took a quick look at it. By what you are saying about not being able to ping the LAN, I refer to page 432 in your manual about 'Policy Route'. You should configure the Policy route and make sure that the L2TP_POOL of IPs is NOT in the Scope/Range of the LAN's IPs. OK???

That is a place to start to see what it up.

What are you using at the other end of the tunnel, opposite to the USG 300??

fox7
reply
andremta @ 22nd Oct 04:17AM:
Re: VPN: Cannot ping LAN

fox7:

Thanks for you reply!

I'm using to access the VPN a Windows XP with its default VPN connection client configured as described in the manual.

My LAN: 192.168.1.1 ~ 254 (DHCP from 192.168.1.30 ~ .254)
VPN: 192.168.1.11 ~ 19

What you mean is that the L2TP_POOL cannot be in the LAN's range?

I'm not able to ping LAN only when I'm connected to the VPN. From LAN to LAN everything is OK.
reply
fox7 @ 22nd Oct 12:31PM:
Re: VPN: Cannot ping LAN

Bingo, Bango!!!!

You are using 192.168.1.x in you LAN. You must use a different Subnet in the L2TP_Pool, i.e. 192.168.N.X where N is any number up to 254 that is NOT 1 (one). Using the number 1 there puts it in the same Subnet. A no-no!!

That is what I meant by same Scope/Range, i.e same Subnet.

After changing try and ping an IP on the LAN.

Also with Zywall there is a user interface page that is called something like VPN 'Monitor' page. That will confirm that you have a VPN connection. Is that page declaring that??

fox7

Edit:
Page 437 in the Manual. Notice the different IP Subnets used in the LAN and the L2TP_POOL.
reply
andremta @ 22nd Oct 06:05PM:
Re: VPN: Cannot ping LAN

fox7:

I tried another subnet (192.168.10.1 ~ 10) and was pretty much the same!

Once, I configured this router's VPN successfully with the previous VPN Pool, although I had to configure it from scratch again and the previous configuration backup it's not supported with this new firmware.

It must be something else! I tried with the firewall disabled, it's the same! It must be some route policy that I'm missing...


reply
fox7 @ 22nd Oct 07:35PM:
Re: VPN: Cannot ping LAN

Well, ok, let's try some more things.

Is the WAN IP address of the Zywall a static IP?? (A permanent IP assigned by your ISP.)

Did you enter that IP address in, I refer to page 439 in the manual, where it says "For the Local Policy,..... " And 0.0.0.0 for the Remote Policy????

fox7
reply
jdmt @ 22nd Oct 09:03PM:
Re: VPN: Cannot ping LAN

Just a shot in the dark, but if you're able to ping the gateway IP address, I'm wondering if the machine you're attempting to connect to has it's firewall configured to reject conenctions from IP address outside of it's own subnet? This was an issue for me on a Vista machine - I had to explicitly allow connections from the remote subnet. This is expecially true for ICMP in the Windows firewall, since it is fairly restrictive by default.

A quick way to test this would be to temporarilly disable the firewall on the machine you're trying to ping (if it's on that is) and test it - if it works, then you know you've found the issue.
reply
andremta @ 23rd Oct 04:18AM:
Re: VPN: Cannot ping LAN

fox7:

I get the WAN IP from ISPs DHCP but it's a static IP.

Yes!


reply
andremta @ 23rd Oct 04:20AM:
Re: VPN: Cannot ping LAN

jdmt:
I think I had the firewall disabled (both sides) but I'll try that again and I'll get back to you. (I was trying it with XP)
reply
andremta @ 24th Oct 08:05PM:
Re: VPN: Cannot ping LAN

Guys,

This is weird... after connecting to the VPN, I can browse the internet with my NAT IP (from router).

Although I can only ping the router from the LAN, no other LAN-SUBNET devices!

This is weird! It must be for rule some rule that I'm missing... any suggestion?

Brano, you always have cool suggestions? Where are you? :)
reply
andremta @ 25th Oct 06:07PM:
Re: VPN: Cannot ping LAN

Guys,

I have the answer for my problem... this is so lame, but my home router IP was the same as the VPN's remote route. As so, this lead to all the traffic to the VPN's LANsubnet to be sent through the home route.

I changed my home router subnet from 192.168.1.0 to 192.168.100.0 and the problem got fixed!
reply
fox7 @ 27th Oct 03:12PM:
Re: VPN: Cannot ping LAN

andremta:
Cool!!!! I have been really busy and finally got a chance to get back to the forums and am glad you got her going.

Congratulations!!

fox7
reply

Thank you for using lo-fi dslreports.com - report bugs
© 99-2009 silver matrix LLC