forward trafic between vpn tunnels

rstanila
rstanila Posts: 10
First Anniversary First Comment
Hello

I have this configuration

vpn2s in a remote sites ( a lot)
vpn100 in main office
azure gw at Microsoft

I cannot create vpn tunnel directly from remote sites to azure as I do not have so many concurrent IPsec tunnels in azure, so I need to use the main office vpn 100 as concentrator between remote sites and azure

Also , seems that vpn2s does not support policy route to set next hop vpn tunnel xxx for a destination subnet

I am ok with full tunneling but I tried and did not work.

what needs to be done in order to access Azure from remote sites (and back) through the vpn 100 in main office ?

All Replies

  • PeterUK
    PeterUK Posts: 2,705  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2022
    Should just be a case of Azure being on a subnet of VPN100 to setup Local policy and Remote policy with different LAN subnets on VPN2S and VPN100.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 753  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @rstanila
    For VPN connection of Azure. Remote Policy have to involve VPN2S/VPN100 subnet. vice versa.
    For VPN connection of VPN2S. Remote Policy have to involve VPN100/Azure subnet.
    Please feel free to contact us if issue still persist.
    Thank you
    Kevin 

  • rstanila
    rstanila Posts: 10
    First Anniversary First Comment
    hello. thanks a lot for answers. let s be more specific, i have the following ipsec tunnels.

    vpn2s - vpn 100 : 192.168.40.0/24 <-> 192.168.3.0/24
    vpn100 - azure : 192.168.3.0/24 <-> 172.17.1.0/24

    I need to be able to access 172.17.1.0/24 from 192.168.40.0 and viceversa.

    what should I configure and where ? thanks a lot in advance.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 753  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @rstanila
    I think use concentrator is the fast way. Let's make VPN100 as Hub
    Tunnel with Azure:
    Local Policy: 192.168.3.0/24
    Remote Policy: 172.17.1.0/24

    Tunnel with vpn2s:
    Local Policy: 192.168.3.0/24
    Remote Policy: 192.168.40.0/24

    In VPN100 have two VPN connection

    then add both to Concentrator member


    In this way, 172.17.1.0/24 can be access from 192.168.4.0 vice versa.
    Thanks 
    Kevin

  • rstanila
    rstanila Posts: 10
    First Anniversary First Comment
    i tried this, it needs also policy route on vpn2s. if behind vpn2s I want to access azure, how does the vpn2s know to route traffic to 172.17.1.0 (azure) through vpn tunnel with vpn100 ?

    but on vpn2s I cannot add policy route through vpn tunnel. is not implemented.
    I also tried to have full traffic fw through vpn tunnel with vpn100. does not work either to access azure.
  • rstanila
    rstanila Posts: 10
    First Anniversary First Comment
    edited June 2022
    please check this link : https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=013463&lang=EN

    so I am unable to check steps 4 and 5 because vpn2S does not have policy route through vpn tunnel and also Azure does not have this route. 

    azure returns by default the traffic if the sender subnet is in the list of address spaces for that gateway
  • rstanila
    rstanila Posts: 10
    First Anniversary First Comment
    update : it works. without policy route or concentrator. I just added on first vpn tunnel as remote policy both HQ and azure and on azure I added both HQ subnet and vpn2s subnet in address space values list

Security Highlight