Configure Site to Site VPN with Public IP's?

Options
Chris74
Chris74 Posts: 7
Hi - I need to extend public IP address over the VPN site to site. I have an NSG100 in a data centre and an NSG50 in the office.

I need to tunnel public static IP's via the NSG100 which is connected via WAN1 to our own public subnet - so that devices we configure in the office will work as if they were sat in our rack in the data centre.

When I configure these in the nebula for the two sites  - I get an overlap, so I'm not sure how to resolve it.

Any advice very welcome.

«1

All Replies

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2022
    Options
    IMVHO traffic from NSG50 "LAN1" (my guess) to internet should be routed via IPSEC connection.
    And someone should be resident into office knowing how to temporary disable that route if necessary.
    IMVHO both forward and reverse routes should be configured on NSG100 and NSG50. And making mistakes is quite easy...
  • Chris74
    Chris74 Posts: 7
    Options
    I don't see any option to configure Site to Site VPN with IPSEC.
  • Zyxel_Chris
    Zyxel_Chris Posts: 660  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @Chris74
    It seems your LAN setting has overlap, can you let me know how is your scenario looks like?
    For instance:
    LAN1(192.168.8.0/24)---NSG100===VPN===NSG50---LAN1(192.168.9.0/24)

    On the other hand, are these 2 NSG in the same organization?
    Chris
  • Chris74
    Chris74 Posts: 7
    Options
    Ok, thanks - the scenario is very simple...

    I have 80.XX.XX.0/25 subnet via IP feed in a data centre. We run our live servers on those IP's

    I have one NSG100 in the rack configured as 80.XX.XX.100

    We are originally using this as remote VPN  - no problem there. But that's not what I'm asking about.

    I have now purchased a second unit. NSG50 for our office. I want to configure it as site to site, so the devices in the office can be on the same public subnet as the servers in our rack.

    So I want to plug in a server into the NSG50 at the office and give it an IP address 80.XX.XX.105 for example so that we can configure it in the office before taking to the DC and installing.

    There are no private networks involved.

    In Nebula, these are configured in the same organisation as different sites.

    Hope that is clear.


  • Zyxel_Chris
    Zyxel_Chris Posts: 660  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @Chris74,
    Are you going to configure the public IP on NSG50 or on server? 
    If it's the first case then just login to the NSG local GUI, in interface can set the IP.
    Chris
  • Chris74
    Chris74 Posts: 7
    edited March 2022
    Options
    I'm sorry i don't follow what you're saying.

    I should explain that the office is using a standard broadband connection and the NSG50 is connected to this on the  WAN port.

    I want to extend the network on the NSG100 over the site to site VPN so that I can plug a server into a LAN port on the NSG50 at the office  - as if it was on the public subnet - as if the server is in the data centre.

    I guess to answer your question, I would configure the public IP on the server.


  • Zyxel_Chris
    Zyxel_Chris Posts: 660  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    May I know if your scenario looks like this? And the server's traffic will send through to the tunnel.

    NSG100(80.x.x105)===VPN===(80.x.x100)NSG50--(LAN)server (80.x.x101)

    If it is the case then it's not reasonable for usual case on s2s VPN, may I know why you need this application?
    Chris
  • Chris74
    Chris74 Posts: 7
    Options
    I think that's exactly the case yes, except The NSG100 is configured with 80.x.x.100 on the WAN interface.

    I want to connect any server to a port on the NSG50 at the office and configure the server with 80.x.x.105 or 106 or 107 etc so it is sitting on the public network the same as the other servers in the rack in the DC.

    The reason for this is so that we can configure a server in our office and test it working live - then someone non-technical will simply take the server to the data centre and fit it into the rack and it will work immediately without any further configuration.

    It also means that we can create a test environment here in the office so we can test different technologies and virtualisation products - then reconfigure / start again without having to travel to the DC and remove the kit to reinstall it.


  • Zyxel_Chris
    Zyxel_Chris Posts: 660  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @Chris74
    Thanks for your information, however since all the participate device (server and wan interface) are in the same subnet therefore this scenario cannot wor (overlap and may have the routing issue), unless the server can located in the different subnet.
    Chris
  • Chris74
    Chris74 Posts: 7
    Options
    Ok can you suggest another way to achieve it? I know some routers have VPN ability - so could I connect a router via ipsec to the NSG100 and use the ports on the router? Is this possible? Is there any way I can do this with Zyxel hardware or do i need to find a different product?

Nebula Tips & Tricks