IPSec VPN Internet traffic (not) working

Options
Hi,

I have successfully configured IPSec VPN and my users have access to internal resources and to the internet. However, I would like for this internet traffic to be monitored (e.g. SSL inspection, Content filter, etc.) and I can't seem to figure out how to do that.

I thought the policy route is a solution but regardless of what I do, my users still have full internet connectivity on their local machines.

All Replies

  • Zyxel_James
    Zyxel_James Posts: 618  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hello @Gizmagis,

    After creating a Content Filter profile or SSL Inspection profile, we could apply them to Policy Control rules. Please follow the instructions below.

    Take the ATP Series as an example.

    1. Navigate to Configure > Security Service > Content Filter > Web Content Filter, click +Add to create a profile.

    2. Configure the Content Filter profile and click OK to save it.

    3. Navigate to Configure > Security Service > SSL Inspection, click +Add to create a profile.

    4. Configure the SSL Inspection profile and click OK to save it. About how to export the SSL certificate, please refer to this article.

    5. Navigate to Security Policy > Policy Control, click the policy "IPSec_VPN_Outgoing" to configure.

    6. Select the security profile we created in previous steps and click OK to save it.


  • Gizmagis
    Options
    Hi James,

    thank you for your reply, however, I don't have any setbacks at configuring security services and applying them to the traffic. What I meant is that it looks like a client has a local internet connection (for web browsing) but I would like to force this to go through USG.

    Is that possible and how?
    Thanks,

    G
  • PeterUK
    PeterUK Posts: 2,749  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2022
    Options

    So is this setup in one building with the users with the USG like the users are not at home?


  • Gizmagis
    Options
    The users are at home - is it possible for their traffic to go through USG and be monitored whilst on IPSec VPN?
  • PeterUK
    PeterUK Posts: 2,749  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2022
    Options

    They can choose to not have internet traffic go down the VPN when connected I take it your using windows built in client? They can just uncheck default gateway without having their internet go down the VPN but why do you care about their internet traffic? They can just disconnect from the VPN to use their home internet.


    If the option is checked you can make a routing rule for incoming VPN to WAN/OPT and allowed by firewall.


    What might be happening is windows detect no internet with the VPN and uses the home internet? in which case the rule above and allowed by the firewall will use the VPN for internet.

  • Zyxel_James
    Zyxel_James Posts: 618  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Gizmagis,

    Do you use Window build-in VPN?

    If so, the option "Use default gateway on remote network" is enabled by default. It means that all traffic including internet traffic will go through the VPN tunnel.

    You may check if this option is enabled.

    1. Open VPN connection properties. (Control Panel > Network and Internet > Network connection)

    2. Open the Networking tab, select Protocol Version 4 (TCP/IPv4), and click Properties.

    3. Click Advanced, and make sure the option "Use default gateway on remote network" is enabled.

    Thank you.

     



    James


  • sophiaabigail
    Options
    The VPN is up, but there is no passing traffic in one or both directions. This topic helps troubleshoot the issues that 192.168..l00.1    could prevent traffic passing ...
    This depends on your settings. The most common setup is “Host to Network“, in which case only traffic to the specified remote network(s) will go through the VPN tunnel. With a “Host to Everywhere” setup, all traffic – except traffic to the local network(s) – goes through the VPN.
  • sophiaabigail
    Options
    The VPN is up, but there is no passing traffic in one or both directions. This topic helps troubleshoot the issues that 192.168.l00.1    could prevent traffic passing ...
    This depends on your settings. The most common setup is “Host to Network“, in which case only traffic to the specified remote network(s) will go through the VPN tunnel. With a “Host to Everywhere” setup, all traffic – except traffic to the local network(s) – goes through the VPN.

Security Highlight