Routing between two VPN IPsec

EAQSUP
EAQSUP Posts: 2  Freshman Member
Fourth Anniversary
edited April 2021 in Security
Hello,

I have a site A connected via Ipsec VPN to an Azure VM, and a site B connected to site A always via Ipsec VPN. The two Zyxels are two USG60s. The two VPNs work correctly but site B can not see the Azure VM. Can you help me in the configuration of the rules?

Site A : 192.168.1.0/24
Site B : 172.16.0.0/24
Azure_Vnet : 10.11.0.0/16

VPN Azure_Vnet -> Site A :   LAN1 -> Azure_Vnet

VPN Site A -> Site B :   LAN1 -> SedeRoma


The current VPN configuration is therefore:   Azure_Vnet -> Site A -> Site B 
where Site B communicates only with Site A and not with Azure_Vnet

Thanks to everyone in advance

Comments

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited April 2018
    You need route-based VPN for Azure to Site A instead of policy-based VPN.

    On Azure portal,
    1.Create a route-based VPN gateway
    2.Create a local gateway of Site A. Add address space of Site A & Site B network.
    3.Create a VPN connection to Site A

    On Site A USG,
    1.Create VPN Gateway rule with IKEv2 to Azure VPN gateway
       Encryption:AES128, Authentication:SHA1, DH:Group2, Lifetime:28800
    2.Create VPN connection rule with scenario "VPN tunnel Interace"
       MSS Adjustment: Custom size, 1379
       Encryption:AES128, Authentication:SHA1, PFS:Group2, Lifetime:27000
    3.Create a VTI interface, named as vti0
       IP address: choice an ip address not overlap with Azure and USG network
       For example, 192.168.254.1/255.255.255.252
       Bind with the VPN connection you create in step 2.
    4.Add static route rule for any to Azure VNET
       Destination: 10.11.0.0, Subnet Mask: 255.255.0.0, Next-Hop:vti0
    5.Add a policy route for any to Site B network
       Incoming interface: any, Source:any, Destination: Site B(172.16.0.0/24),
       Next-Hop:VPN tunnel to Site B

    On Site B USG,
    1.Add a policy route for Site B to Azure via VPN tunnel to Site A 
       Incoming interface: any, Source: Site B(172.16.0.0/24), Destination: Azure_Vnet(10.11.0.0/16), 
       Next-Hop: VPN tunnel to Site A

  • rstanila
    rstanila Posts: 10
    First Comment First Anniversary
    Hello. I have exactly the same situation , now we are in 2022 and the help above does not work. I have USG 20 in a branch, USG 20 - VPN at main office and Azure gw.

    I have 172.10.10.0/24 in the branch with ipsec vpn tunnel to main office where I have 172.8.8.0/24

    to azure I have vpn tunnel between main office 172.8.8.0/24 and 172.19.1.0/24 (azure subnet)

    how can I do in year 2022 the configuration in order for the branch to communicate with Azure through main office ?
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited May 2022
    Welcome to zyxel forum.  Please use Route-based VPN for this case.
    On main office 
    - ensure there are route to 172.10.10.0/24 , 172.19.1.0/24 point to respective VTI
    On brance 
    - ensure there are route to 172.8.8.0/24 , 172.19.1.0/24 point to VTI (between main office)
    On Azure
    - ensure there are route to 172.8.8.0/24 , 172.10.10.0/24 point to VTI (between main office)
    Please kindly  check all traffic won't  NAT and firewall policy have been allowed.
    If the issue still . Kindly share me the configuration in Private Messages 
    Have a nice day .
    Kevin

Security Highlight