I've recently set up a site to site between two XGs using IPSec.
Problem
- On the CLI of site A's XG, I can't ping site B's LAN interface.
- On the CLI of site B's XG, I can ping site A's LAN interface.
Other Facts
- Local service access for VPN zone is set to allow everything that is allowed for LAN zone. i.e. Ping, DNS, SSH, web admin, etc..
- Each XG has a single firewall rule to allow the following connections
- Source LAN & VPN zone any network/ip on any service
- Destination LAN & VPN zone any network/ip
- The remote and local LAN subnets are configured in the VPN settings on each XG.
- The XGs are currently connected via a 1Gb ethernet switch on their WAN interfaces while I configure this new XG and get site-to-site working.
- This switch has each XG's WAN port, and the PPPoE ADSL2+ bridge connected. No other devices on this switch.
- Site A's XG is using PPPoE to get internet access
- Site A has an additional IP address which it is using to connect to site B's WAN interface on.(their WAN interfaces are on a local LAN together)
- This is while I sort out the config issues, then I will take site B's XG and local equipment to actual site across town.
- Site B's XG is not doing any PPPoE because it is not at site yet.
- Site B has no internet yet, but my focus is on getting site-to-site working.
I've tried to look in all the config areas that I can think of as being important but I'm stuck.
Can anyone suggest areas in either's config that I should be looking closer at? I have obviously missed something given I'm getting one way functionality, I just can't pick it.
I'm also wondering if/how I can turn on logging for default deny firewall rules, as that might help me understand more about if/how this is a firewall config issue.
Thanks for any potentially helpful thoughts.
Cheers,
Stephen
This thread was automatically locked due to age.
