Hi.
I am currently working with a test environment and have configured two XG firewalls to have an IPSec Policy-based site-to-site connection between them. I cannot get the IPSec connection to forward traffic correctly. I have been trying for hours and looked at many online discussions about similar issues, but no success.
Here's how I have the firewalls physically connected:
Firewall A <-------> Firewall B
Very simple, one is connected to the other with Ethernet. On both firewalls, the interface for the link is set to WAN zone and I have configured a small 'pretend' IP block with no actual functioning gateway. Both firewalls can ping eachother.
I have configured the IPSec connection and the connection is successfully established, including the local and remote subnets on both firewalls both showing green in the status overview.
I have configured the firewall rules on both XGs to allow traffic to and from the VPN zone and the local subnets on both sides.
When I use a PC on the branch firewall and try to connect to a PC on the head office firewall (within the remote subnet configured), it will not forward the traffic to the ipsec0 interface. I can see with a packet capture that actually the firewall is trying to forward it to the Internet instead (which would not work, since the local/remote IPs are non-routable).
I have tried to manually add the IPSec routes (using CLI -> system ipsec_route add net) but that does not work either.
Has anyone else ever tried to test a IPSec VPN like this before? Why is it not adding the VPN routes as I am lead to believe it should be? I cannot get the traffic to flow over the VPN connection. I can even see in the rules, that both in and out are zero bytes, and I am 100% sure the rules should be matching the traffic.
I can provide more information if needed.
Can anyone help out?
This thread was automatically locked due to age.
