Site-to-Site Force Tunnel

KITNIT

I have a site-to-site VPN Connections between a USG 60 (will be replaced with a ATP500 soon) and a USG 40.  Is there a way, like in client-to-site VPNs, to disable split tunneling and to force all the traffic through the tunnel?

mMontana

Routing. And firewall/policy rules.

Zyxel_Can

Hi @KITNIT,

 

Here’s an example setup for this environment;

In USG60’s configurations you need to add following policy routes;

(Configuration > Network > Routing > Policy Route)

1-    With the source address of 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

2-    Any traffic to 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

3-    Any traffic from 20.20.20.0/24 will be forwarded to SYSTEM_DEFAUL_WAN_TRUNK

 

You will also need to add a Security Policy rule;

(Configuration > Security Policy > Policy Control)

Allow the traffic that comes from IPSec_VPN.

 

 

In USG40’s configurations you need to add following policy routes;

(Configuration > Network > Routing > Policy Route)

1-    With the source address of 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

2-    Any traffic to 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2

3-    Any traffic from 10.10.10.0/24 will be forwarded to SYSTEM_DEFAULT_WAN_TRUNK

 

You will also need to add a Security Policy rule;

(Configuration > Security Policy > Policy Control)

AdminSys

I have to make such a site-site VPN, my question is, shouldn't the routings be added exactly the reciproc way around? …what is in USG40 to USG60 and vica-versa?
f I understand correctly, this is necessary in case of the two sites, only one site can "go to the internet"?