Routing between two VPN IPsec

EAQSUP Posts: 2  Freshman Member
First Anniversary
edited April 2021 in Security

I have a site A connected via Ipsec VPN to an Azure VM, and a site B connected to site A always via Ipsec VPN. The two Zyxels are two USG60s. The two VPNs work correctly but site B can not see the Azure VM. Can you help me in the configuration of the rules?

Site A :
Site B :
Azure_Vnet :

VPN Azure_Vnet -> Site A :   LAN1 -> Azure_Vnet

VPN Site A -> Site B :   LAN1 -> SedeRoma

The current VPN configuration is therefore:   Azure_Vnet -> Site A -> Site B 
where Site B communicates only with Site A and not with Azure_Vnet

Thanks to everyone in advance


  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2018
    You need route-based VPN for Azure to Site A instead of policy-based VPN.

    On Azure portal,
    1.Create a route-based VPN gateway
    2.Create a local gateway of Site A. Add address space of Site A & Site B network.
    3.Create a VPN connection to Site A

    On Site A USG,
    1.Create VPN Gateway rule with IKEv2 to Azure VPN gateway
       Encryption:AES128, Authentication:SHA1, DH:Group2, Lifetime:28800
    2.Create VPN connection rule with scenario "VPN tunnel Interace"
       MSS Adjustment: Custom size, 1379
       Encryption:AES128, Authentication:SHA1, PFS:Group2, Lifetime:27000
    3.Create a VTI interface, named as vti0
       IP address: choice an ip address not overlap with Azure and USG network
       For example,
       Bind with the VPN connection you create in step 2.
    4.Add static route rule for any to Azure VNET
       Destination:, Subnet Mask:, Next-Hop:vti0
    5.Add a policy route for any to Site B network
       Incoming interface: any, Source:any, Destination: Site B(,
       Next-Hop:VPN tunnel to Site B

    On Site B USG,
    1.Add a policy route for Site B to Azure via VPN tunnel to Site A 
       Incoming interface: any, Source: Site B(, Destination: Azure_Vnet(, 
       Next-Hop: VPN tunnel to Site A

  • rstanila
    rstanila Posts: 10
    First Anniversary First Comment
    Hello. I have exactly the same situation , now we are in 2022 and the help above does not work. I have USG 20 in a branch, USG 20 - VPN at main office and Azure gw.

    I have in the branch with ipsec vpn tunnel to main office where I have

    to azure I have vpn tunnel between main office and (azure subnet)

    how can I do in year 2022 the configuration in order for the branch to communicate with Azure through main office ?
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 752  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022
    Welcome to zyxel forum.  Please use Route-based VPN for this case.
    On main office 
    - ensure there are route to , point to respective VTI
    On brance 
    - ensure there are route to , point to VTI (between main office)
    On Azure
    - ensure there are route to , point to VTI (between main office)
    Please kindly  check all traffic won't  NAT and firewall policy have been allowed.
    If the issue still . Kindly share me the configuration in Private Messages 
    Have a nice day .

Security Highlight