BOVPN working but destination net unreachable

Hi,

i have configured my first BOVPN between T25 and a third party router.
VPN itself is able to establish a connection just fine, but there is no communication possible between the two subnets.

VPN Diagnostics shows the following:

Tunnel Name: tunnel.1
tunnel route#1(192.168.0.0/24<->192.168.175.0/24) - Established
Incoming traffic was NOT detected for this tunnel after the diagnostic report started.
Outgoing VPN traffic was detected for this tunnel after the diagnostic report started.
The firewall policy "BOVPN-Allow.out-00" is matched for the outgoing traffic.
The incoming traffic for tunnel route (192.168.175.0/24<->192.168.0.0/24) is denied by firewall policy (policy).
Recommendation: Check your firewall policy configuration.

ping results in destination net unreachable

This seems odd to me:
Gateways
192.168.1.103 - 80.147.129.237

Since 192.168.1.103 is the static ip in the subnet of the router (192.168.1.10) standing before the watchguard (unfortunately it has to stay on this site)

Anybody got some idea?

Br
Sven

Comments

  • What brand/model is the third party router?

    "The incoming traffic for tunnel route (192.168.175.0/24<->192.168.0.0/24) is denied by firewall policy (policy)."
    Are you seeing denies in Traffic Monitor for packets from the remote site?

    What is seen at the remote site when packets are sent to it?

    What do you see from a tracert to an IP addr at the remote site, such as 192.168.0.2 ?

  • Hi,

    3rd Party Model is AVM Fritzbox 7490. The device unfortunately has no logging functionality.

    tracert from 192.168.175.x to 192.168.0.4

    1 <1 ms <1 ms <1 ms fritz.box [192.168.175.1]
    2 15 ms 22 ms 24 ms 62.156.244.50
    3 * * * Zeitberschreitung der Anforderung. (timeout)
    4 * *

    found only this in log, don't know if it's related:
    2024-01-26 14:49:18 Deny 192.168.1.10 192.168.1.103 http/tcp 45548 80 External Firebox Denied 60 64 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 10 S 682067580 win 53270"

    tracert from 192.168.0.x to 192.168.175.21

    1 <1 ms <1 ms <1 ms 192.168.0.10
    2 * * * Zeitberschreitung der Anforderung. (timeout)
    3 * * * Zeitberschreitung der Anforderung.
    4 * * * Zeitberschreitung der Anforderung.

    024-01-26 14:47:34 Allow 192.168.0.72 192.168.175.21 icmp Trusted tunnel.1 Allowed 92 1 (Ping-00) proc_id="firewall" rc="100" msg_id="3000-0148"
    2024-01-26 14:47:37 Allow 192.168.0.72 192.168.175.21 icmp Trusted tunnel.1 Allowed 92 1 (Ping-00) proc_id="firewall" rc="100" msg_id="3000-0148"
    2024-01-26 14:47:42 Allow 192.168.0.72 192.168.175.21 icmp Trusted tunnel.1 Allowed 92 1 (Ping-00) proc_id="firewall" rc="100" msg_id="3000-0148"
    2024-01-26 14:47:45 Allow 192.168.0.72 192.168.175.21 icmp Trusted tunnel.1 Allowed 92 2 (Ping-00) proc_id="firewall" rc="100" msg_id="3000-0148"

  • Looks to me that packets are being denied at the remote end from the T25.

  • I agree but why is that? Default Firewall Rules are available? Is it possible that it has to do something with the IP 192.168.1.103?

    For experimental purposes i added a policy to allow any traffic from 192.168.175.0/24 to the internal network.

    Here is the diagnostics:

    *** WG Diagnostic Report for Gateway "gateway.1" ***
    Created On: Fri Jan 26 16:36:30 2024

    [Conclusion]
    Tunnel Name: tunnel.1
    tunnel route#1(192.168.0.0/24<->192.168.175.0/24) - Established
    Incoming traffic was NOT detected for this tunnel after the diagnostic report started.
    Outgoing VPN traffic was detected for this tunnel after the diagnostic report started.
    The firewall policy "BOVPN-Allow.out-00" is matched for the outgoing traffic.
    The incoming traffic for tunnel route (192.168.175.0/24<->192.168.0.0/24) matched the firewall policy (Werk2-00), which is not the default "BOVPN-Allow.[in/out]" policy.
    Recommendation: Check your firewall policy configuration.
    The outgoing traffic (192.168.0.0/24->192.168.175.0/24) matches the firewall policy (BOVPN-Allow.out-00) and leaves the device through interface . Traffic is expected to use interface External.

  • 192.168.1.103 and the 192.168.1.0/24 subnet is not part of the BOVPN, so I don't see it as being an issue.

    No other ideas.
    Perhaps someone else who has Fritzbox experience can provide suggestions.

Sign In to comment.