Due to USG internal routing configuration problem, the IPSECVPN internal network can't mutual PING

Publication Date:  2012-11-06 Views:  159 Downloads:  0
Issue Description
PC1----USG1-------USG2-----PC2

The product model: USG2130 V100R005C00SPC300
User built the experimental environment himself, didn’t cross the public network, VPN tunnel can be normal established, the first stage and the second stage of IKE are normal, but PC1 and PC2 mutual PING impassability.
Alarm Information
None.
Handling Process
Get rid of this default route or configure the details routing to PC1, the problem will be solved.
Root Cause
1, check the NAT refused to IPSECVPN flow, normal.
2, check inter-domain packet filtering, normal.
3, check the PC gateway, normal.
4, check the configuration found that user connected the external network on another interface of the USG2, configured a default route out from the interface. After got rid of the route, problem is solved. The reason is that the routing transformed the data flow to external network interface and didn’t trigger IPSECVPN strategy.
The actual topology is as follows:
PC1----USG1--------USG2----PC
                    |------external network
Suggestions
IPSECVPN internal network can’t mutual PING basically has the following several reasons:
1. NAT didn’t refuse IPSECVPN flow
2. Packet filtering problem
3. Multi-line access routing problem

END