Site-to-Site Force Tunnel

KITNIT
KITNIT Posts: 5
First Comment
I have a site-to-site VPN Connections between a USG 60 (will be replaced with a ATP500 soon) and a USG 40.  Is there a way, like in client-to-site VPNs, to disable split tunneling and to force all the traffic through the tunnel?

All Replies

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Routing. And firewall/policy rules.
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @KITNIT,

     

    Here’s an example setup for this environment;


    In USG60’s configurations you need to add following policy routes;

    (Configuration > Network > Routing > Policy Route)

    1-    With the source address of 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

    2-    Any traffic to 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

    3-    Any traffic from 20.20.20.0/24 will be forwarded to SYSTEM_DEFAUL_WAN_TRUNK

     

    You will also need to add a Security Policy rule;

    (Configuration > Security Policy > Policy Control)



    Allow the traffic that comes from IPSec_VPN.

     

     

    In USG40’s configurations you need to add following policy routes;

    (Configuration > Network > Routing > Policy Route)


    1-    With the source address of 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

    2-    Any traffic to 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

    3-    Any traffic from 10.10.10.0/24 will be forwarded to SYSTEM_DEFAULT_WAN_TRUNK

     

    You will also need to add a Security Policy rule;

    (Configuration > Security Policy > Policy Control)


  • AdminSys
    AdminSys Posts: 26  Freshman Member
    First Comment Seventh Anniversary

    I have to make such a site-site VPN, my question is, shouldn't the routings be added exactly the reciproc way around? …what is in USG40 to USG60 and vica-versa?
    f I understand correctly, this is necessary in case of the two sites, only one site can "go to the internet"?

Security Highlight