Site-to-Site Force Tunnel

KITNIT
KITNIT Posts: 5
First Comment
I have a site-to-site VPN Connections between a USG 60 (will be replaced with a ATP500 soon) and a USG 40.  Is there a way, like in client-to-site VPNs, to disable split tunneling and to force all the traffic through the tunnel?

All Replies

  • mMontana
    mMontana Posts: 1,208
    50 Answers 1000 Comments Friend Collector Third Anniversary
     Guru Member
    Routing. And firewall/policy rules.
  • Zyxel_Can
    Zyxel_Can Posts: 342
    5 Answers First Comment Friend Collector
     Zyxel Employee

    Hi @KITNIT,

     

    Here’s an example setup for this environment;


    In USG60’s configurations you need to add following policy routes;

    (Configuration > Network > Routing > Policy Route)

    1-    With the source address of 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

    2-    Any traffic to 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

    3-    Any traffic from 20.20.20.0/24 will be forwarded to SYSTEM_DEFAUL_WAN_TRUNK

     

    You will also need to add a Security Policy rule;

    (Configuration > Security Policy > Policy Control)



    Allow the traffic that comes from IPSec_VPN.

     

     

    In USG40’s configurations you need to add following policy routes;

    (Configuration > Network > Routing > Policy Route)


    1-    With the source address of 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

    2-    Any traffic to 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

    3-    Any traffic from 10.10.10.0/24 will be forwarded to SYSTEM_DEFAULT_WAN_TRUNK

     

    You will also need to add a Security Policy rule;

    (Configuration > Security Policy > Policy Control)


Security Highlight