Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[IAG] Accessing the headquarters application via ipsec is blocked by policy: the VPN belongs to the wrong area

Posted
Updated
Byadmin
Views0

Problem Description

IAG and the third-party server have established IPsec. The headquarters application cannot be accessed through IPsec. If a direct connection is opened, it will prompt that it is blocked by the policy.

Process——

  1. Check the area to which the VPN interface of the device belongs. It is found that the area to which the VPN interface belongs is selected as the WAN area. When the interface is changed to the WAN area, the traffic from the LAN port to the VPN interface of the device belongs to the LAN to WAN direction, which will be recognized by the device application and matched with the application control policy and rejected.

    827075beae01a66bad.png (35.58 KB)
  2. After changing the zone to which the VPN interface belongs to to the LAN zone, the traffic from the LAN port to the VPN interface is in the LAN to LAN direction, which will not match the application identification and will not be rejected by the application control policy.

    425045beadfd09057e.png (5.66 KB)

solution

Change the VPN area to the default LAN area

Original Link

https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=6611&isOpen=true