VPN client connected to site 1 need to have acces also to the subnet on site 2.

Jarno_Smits
Jarno_Smits Posts: 23  Freshman Member
First Comment Friend Collector Sixth Anniversary
in Security
Good morning, hopefully i have explained it correct.

But the question is how do i configure the route that if a vpn client connected to
site 1 that this client can also acces the subnet on site 2 (site 1 and 2 are connected with a site-to site VPN)

see the network setup below:

I did some tests with creating routes on site 1 but i'm not able to get this to work.




Accepted Solution

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓

    Here is the topology and configuration for your reference.

    Configuration- Site A
    IKEv2 VPN settings



    Policy Route
    Incoming: Tunnel
    Please select one member: IKEv2 tunnel
    Source: any
    Destination: Subnet of Site B (192.168.10.0/24)
    Next-Hop: site to site VPN tunnel


    Configuration- Site B
    Policy Route
    Source: Subnet of Site B (192.168.10.0/24)
    Destination: Subnet of IKEv2 VPN clients (192.168.33.0/24)
    Next-Hop: site to site VPN tunnel

    Test Result
    IKEv2 VPN client is connected to Site A and gets IP address 192.168.33.1. 
    IKEv2 VPN client: 192.168.33.1
    Laptop at site B: 192.168.10.33
    192.168.33.1 ping 192.168.10.33 successfully.

All Replies

  • jasailafan
    jasailafan Posts: 193  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited June 2021
    You also need to create policy route on site 2. Just follow the guide in these posts.
  • Jarno_Smits
    Jarno_Smits Posts: 23  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    Good moring Jasailafan,

    Sorry for my delayed answer, I added the rules as descriped in the given documents, but still no connetions from the VPN client connected to site 1 to the site 2 subnet.

    I also searced the internet and more people having the same issue, also when adding the rules as descriped.  

    Could be the problem in my situation the subnets i am using?

    The subnet from site 1 is 192.168.1.0/24 and from site 2 it is 192.168.2.0/24 this range is also configured in the VPN settings from the local and remote IP range from the VPN.

    The IP adress what  the VPN clients can use  is 192.168.31.1 till 192.168.31.9  but this range I also configured in the route as discriped in the documents.

    I also changed the the IP range from site 1 to 192.168.1/23 and from site 2 to 192.168.2./23 but still no success.
  • jasailafan
    jasailafan Posts: 193  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    What is the type of your vpn client? Is it SSL vpn client or IPSEC vpn client or L2TP vpn client?
    Can you post the policy route which is configured on each site?
  • Jarno_Smits
    Jarno_Smits Posts: 23  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    the client vpn connection is a ipsec IKEv2 connection.

    below some screenshots from the policy routes and screenshots from the site to site vpn connection from site 1 and site 2:

    Site 1(usg210) Policy route:


    VPN client setup at site1 (usg210): 


    Site1 to site2 vpn settings on the USG210 (site1)


    Site1 to site2 vpn settings on the USG210 (site1)



    Site1 to site2 vpn settings on the USG60 (site2)


    Policy route on the USG60 (site2)



  • BMS
    BMS Posts: 21  Freshman Member
    Second Anniversary
    I am running into a similar issue and have tried the same fixes, but no luck.  Adding to this to keep an eye on a solution.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓

    Here is the topology and configuration for your reference.

    Configuration- Site A
    IKEv2 VPN settings



    Policy Route
    Incoming: Tunnel
    Please select one member: IKEv2 tunnel
    Source: any
    Destination: Subnet of Site B (192.168.10.0/24)
    Next-Hop: site to site VPN tunnel


    Configuration- Site B
    Policy Route
    Source: Subnet of Site B (192.168.10.0/24)
    Destination: Subnet of IKEv2 VPN clients (192.168.33.0/24)
    Next-Hop: site to site VPN tunnel

    Test Result
    IKEv2 VPN client is connected to Site A and gets IP address 192.168.33.1. 
    IKEv2 VPN client: 192.168.33.1
    Laptop at site B: 192.168.10.33
    192.168.33.1 ping 192.168.10.33 successfully.
  • Jarno_Smits
    Jarno_Smits Posts: 23  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    Hi Emily,

    your solution fixed the issue.

    the local policy of the vpn client, needed to be changed to ( HOST:0.0.0.0 ) instead of subnet 192.168.1.0/24.

    I also had a wrong setting in the Policy route of site B.

    Now when i have a vpn client connection to site 1, i'm able to acces the subnet of site 2 also.

    Only thing is now, when enabeling the vpn on my smartphone, i don't have internet access anymore, I only can access all clients on both sites 1 and 2.

    When changing back the local policy from host 0.0.0.0 to subnet 192.168.1.0/24 then i have internet access back on my smarthone when the VPN is enabled, only then i don't have acces to the subnet of site 2 anymore.


  • Jarno_Smits
    Jarno_Smits Posts: 23  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    Everyting is working now, I changed the VPN client settings to the certificate authorisation instead of only a key, and now it worsk correct now i'm able when opening a VPN to site 1, to access the clients on site 2, and i have also internet access on the VPN client when the VPN is enabled.

    Everybody thanks for the fast answers on this forum.

    kind regard,

    Jarno

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)