Site-to-Site Force Tunnel
All Replies
-
Routing. And firewall/policy rules.
0 -
Hi @KITNIT,
Here’s an example setup for this environment;
In USG60’s configurations you need to add following policy routes;
(Configuration > Network > Routing > Policy Route)1- With the source address of 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2
2- Any traffic to 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2
3- Any traffic from 20.20.20.0/24 will be forwarded to SYSTEM_DEFAUL_WAN_TRUNK
You will also need to add a Security Policy rule;
(Configuration > Security Policy > Policy Control)
Allow the traffic that comes from IPSec_VPN.
In USG40’s configurations you need to add following policy routes;
(Configuration > Network > Routing > Policy Route)1- With the source address of 20.20.20.0/24 will be forwarded to IPSec tunnel with the name of IKEv2
2- Any traffic to 10.10.10.0/24 will be forwarded to IPSec tunnel with the name of IKEv2
3- Any traffic from 10.10.10.0/24 will be forwarded to SYSTEM_DEFAULT_WAN_TRUNK
You will also need to add a Security Policy rule;
(Configuration > Security Policy > Policy Control)
0 -
I have to make such a site-site VPN, my question is, shouldn't the routings be added exactly the reciproc way around? …what is in USG40 to USG60 and vica-versa?
f I understand correctly, this is necessary in case of the two sites, only one site can "go to the internet"?0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight