Site-to-Site Force Tunnel
All Replies
-
Routing. And firewall/policy rules.
0 -
Hi @KITNIT,
Here’s an example setup for this environment;
In USG60’s configurations you need to add following policy routes;
(Configuration > Network > Routing > Policy Route)1- With the source address of 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2
2- Any traffic to 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2
3- Any traffic from 20.20.20.0/24 will be forwarded to SYSTEM_DEFAUL_WAN_TRUNK
You will also need to add a Security Policy rule;
(Configuration > Security Policy > Policy Control)
Allow the traffic that comes from IPSec_VPN.
In USG40’s configurations you need to add following policy routes;
(Configuration > Network > Routing > Policy Route)1- With the source address of 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2
2- Any traffic to 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2
3- Any traffic from 10.10.10.0/24 will be forwarded to SYSTEM_DEFAULT_WAN_TRUNK
You will also need to add a Security Policy rule;
(Configuration > Security Policy > Policy Control)
0 -
I have to make such a site-site VPN, my question is, shouldn't the routings be added exactly the reciproc way around? …what is in USG40 to USG60 and vica-versa?
f I understand correctly, this is necessary in case of the two sites, only one site can "go to the internet"?0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight