Site to Site VPN can’t ping hosts?

[getout]

Site 1
WAN ETH00 Public IP
LAN ETH01 192.168.1.1/24
VPN00 Server 192.168.240.1/30
Static Route 172.16.0.0/24 GW VPN00

Site 2
WAN ETH00 Public IP
LAN ETH01 172.16.1.1/24
VPN00 Client 192.168.240.2/30
Static Route 192.168.1.0/24 GW VPN00

VPN is established. I can ping 192.168.240.2 and 172.16.1.1 from Site 1 and I can even login to ZS on 172.16.1.1 from Site 1 but I can’t ping any of the hosts behind 172.16.1.1. I can ping hosts behind the LAN from the ZS Utilities in the same Site but not from the external Site. If I setup Virtual Server port forwarding to hosts 172.16.1.X:80 I can connect to their web server from Site 1.

I have added Firewall rules in Input, Forward and Output tables to allow all protocols on any interface from or to any IP at both Site 1 and Site 2 ZS but no good?

I have disabled all Firewall Chains in the GUI on both machines but no good. I also used the Shell on Site 1 to stop the iptables service completely (I don’t have shell access to ZS Site 2 so I only disabled all the Chains in the GUI ). I tried to ping hosts on 192.168.1.X from Site 2 ZS Utilities but it could still only ping the 192.168.1.1 IP nothing else.

I have tried putting the LAN interfaces behind NAT and without NAT but no good.

Why can’t I get past the LAN IP from external site? Surely disabling all the Firewall chains eliminates the Firewall as the issue? I can ping the first IP of the Static route so it should be working and if I configure Virtual Servers I can connect with Hosts over the VPN so the Static Route must be working. I can ping the Hosts on the LAN from the ZS box on the same LAN so ICMP is working but not from the external Site?

[getout]

Solved:

I had the Static Route configured on the VPN interface not on the IP number. Changed that and everything routes correctly now!!

[Author]

Posts