No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fail to Guide All Traffic Through VPN Tunnels Based on the SSL VPN Network Extension Configuration on the SecoSpace USG6300

Publication Date:  2019-01-22 Views:  77 Downloads:  0
Issue Description

SSL VPN network extension is configured on the SecoSpace USG6300 to guide all traffic through VPN tunnels, but the configuration fails. SSL VPN dial-up users can access the intranet but cannot access the Internet.

 

The SSL VPN configuration on the USG6300 is as follows:

 

v-gateway public ssl

version tlsv11 tlsv12

v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha non-rc4-sha

non-rc4-md5 aes128-sha non-des-cbc-sha

v-gateway sslvpn interface Vlanif3303 private

v-gateway sslvpn alias sslvpn

 

v-gateway sslvpn

basic

dns-server 202.102.213.68 61.132.163.68

ssl version tlsv11 tlsv12

ssl timeout 5

ssl lifecycle 1440

ssl ciphersuit custom aes256-sha non-des-cbc3-sha non-rc4-sha non-rc4-md5

aes128-sha non-des-cbc-sha

service

network-extension enable

network-extension keep-alive enable

network-extension keep-alive interval 120

network-extension netpool 10.1.1.2 10.1.1.100 255.255.255.0

netpool 10.1.1.2 default

network-extension mode full

Alarm Information

None

Handling Process

1. After the network extension module obtains a virtual address, the user cannot access the Internet. Check whether the Full Tunnel mode and DNS are configured. It is confirmed that the Full Tunnel mode and DNS are configured, and the intranet client can use the DNS configuration to access the Internet.

Note: Network extension supports the following routing modes: Split Tunnel, Full Tunnel, and Manual Tunnel. The details are as follows:

In Split Tunnel mode, the data from the client to the intranet is sent to the vNIC based on the system routing table for forwarding, and the vNIC uses the virtual IP address as the source IP address of the data. The data destined for the local subnet is forwarded by a real NIC, and the NIC uses the actual IP address as the source IP address of the data. Therefore, network extension forwards only the data to the intranet. In Split Tunnel mode, the vNIC also forwards the data that does not destine for the local subnet.


In Full Tunnel mode, data accessing any resources is intercepted by the vNIC, and the vNIC forwards the data to the virtual gateway.


In Manual Tunnel mode, the administrator must configure a static route to the intranet on the firewall (using the network-extension manual-route command). The client identifies the data destined for the intranet and uses the vNIC to forward the data.


2. Check the route configuration. There is a default route pointing to the egress of the Internet. The route configuration is correct.


3. Check the session table used when the virtual IP address of network extension accesses the Internet. It is found that NAT is not performed on the IP address of the vNIC during the access to the Internet. As a result, the access fails.

4. Configure a Source NAT policy for access between untrust zones. The problem is solved.

Root Cause

When an intranet user accesses the Internet, NAT is not performed on the IP address of the vNIC.

Solution
Configure a Source NAT policy from the untrust zone to the untrust zone.
Suggestions
Suggestion: Set parameters strictly according to the function scenario.

END