This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSec Not Working As Intended

Hi.

I am currently working with a test environment and have configured two XG firewalls to have an IPSec Policy-based site-to-site connection between them. I cannot get the IPSec connection to forward traffic correctly. I have been trying for hours and looked at many online discussions about similar issues, but no success.

Here's how I have the firewalls physically connected:

Firewall A <-------> Firewall B

Very simple, one is connected to the other with Ethernet. On both firewalls, the interface for the link is set to WAN zone and I have configured a small 'pretend' IP block with no actual functioning gateway. Both firewalls can ping eachother.

I have configured the IPSec connection and the connection is successfully established, including the local and remote subnets on both firewalls both showing green in the status overview.

I have configured the firewall rules on both XGs to allow traffic to and from the VPN zone and the local subnets on both sides.

When I use a PC on the branch firewall and try to connect to a PC on the head office firewall (within the remote subnet configured), it will not forward the traffic to the ipsec0 interface. I can see with a packet capture that actually the firewall is trying to forward it to the Internet instead (which would not work, since the local/remote IPs are non-routable).

I have tried to manually add the IPSec routes (using CLI -> system ipsec_route add net) but that does not work either.

Has anyone else ever tried to test a IPSec VPN like this before? Why is it not adding the VPN routes as I am lead to believe it should be? I cannot get the traffic to flow over the VPN connection. I can even see in the rules, that both in and out are zero bytes, and I am 100% sure the rules should be matching the traffic.

I can provide more information if needed.

Can anyone help out?



This thread was automatically locked due to age.