Routing between two VPN IPsec
Hello,
I have a site A connected via Ipsec VPN to an Azure VM, and a site B connected to site A always via Ipsec VPN. The two Zyxels are two USG60s. The two VPNs work correctly but site B can not see the Azure VM. Can you help me in the configuration of the rules?
Site A : 192.168.1.0/24
Site B : 172.16.0.0/24
Azure_Vnet : 10.11.0.0/16
VPN Azure_Vnet -> Site A : LAN1 -> Azure_Vnet
VPN Site A -> Site B : LAN1 -> SedeRoma
The current VPN configuration is therefore: Azure_Vnet -> Site A -> Site B
where Site B communicates only with Site A and not with Azure_Vnet
Thanks to everyone in advance
where Site B communicates only with Site A and not with Azure_Vnet
Thanks to everyone in advance
0
Comments
-
You need route-based VPN for Azure to Site A instead of policy-based VPN.
On Azure portal,
1.Create a route-based VPN gateway
2.Create a local gateway of Site A. Add address space of Site A & Site B network.
3.Create a VPN connection to Site A
On Site A USG,
1.Create VPN Gateway rule with IKEv2 to Azure VPN gateway
Encryption:AES128, Authentication:SHA1, DH:Group2, Lifetime:28800
2.Create VPN connection rule with scenario "VPN tunnel Interace"
MSS Adjustment: Custom size, 1379
Encryption:AES128, Authentication:SHA1, PFS:Group2, Lifetime:27000
3.Create a VTI interface, named as vti0
IP address: choice an ip address not overlap with Azure and USG network
For example, 192.168.254.1/255.255.255.252
Bind with the VPN connection you create in step 2.
4.Add static route rule for any to Azure VNET
Destination: 10.11.0.0, Subnet Mask: 255.255.0.0, Next-Hop:vti0
5.Add a policy route for any to Site B network
Incoming interface: any, Source:any, Destination: Site B(172.16.0.0/24),
Next-Hop:VPN tunnel to Site B
On Site B USG,
1.Add a policy route for Site B to Azure via VPN tunnel to Site A
Incoming interface: any, Source: Site B(172.16.0.0/24), Destination: Azure_Vnet(10.11.0.0/16),
Next-Hop: VPN tunnel to Site A
1 -
Hello. I have exactly the same situation , now we are in 2022 and the help above does not work. I have USG 20 in a branch, USG 20 - VPN at main office and Azure gw.
I have 172.10.10.0/24 in the branch with ipsec vpn tunnel to main office where I have 172.8.8.0/24
to azure I have vpn tunnel between main office 172.8.8.0/24 and 172.19.1.0/24 (azure subnet)
how can I do in year 2022 the configuration in order for the branch to communicate with Azure through main office ?0 -
Hi @rstanila,Welcome to zyxel forum. Please use Route-based VPN for this case.On main office- ensure there are route to 172.10.10.0/24 , 172.19.1.0/24 point to respective VTI
On brance
- ensure there are route to 172.8.8.0/24 , 172.19.1.0/24 point to VTI (between main office)
On Azure
- ensure there are route to 172.8.8.0/24 , 172.10.10.0/24 point to VTI (between main office)
Please kindly check all traffic won't NAT and firewall policy have been allowed.
If the issue still . Kindly share me the configuration in Private Messages
Have a nice day .
Kevin0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight