Route to second net via VPN

Zyxelswede
Zyxelswede Posts: 4
Friend Collector First Comment
edited April 2021 in Security
I have a VPN tunnel between USG110 (LAN A:192.168.0.0/24) and USG210 (LAN B:192.168.1.0/24).
On LAN B there is a gateway 192.168.1.63 to LAN C:192.168.98.0.0/24.

How do I configure USG110 and USG210 so that a user on LAN A can reach computers on LAN C?

Comments

  • Ian31
    Ian31 Posts: 166  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    If the IP address space is overlap.
    You need to use another address space mapping to the original one.
    The settings is kind of complex.

    So the easy way is to change LAN A to another address space if possible.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2018

    Hi @Zyxelswede

    Welcome to Zyxel community. :) 

    As Your scenario should able to realize by policy route.

    On USG110.

    You can add a policy route for destination is 192.168.98.0/24, and NextHop is VPN tunnel which established with USG210.


    On USG210.

    (1)  Create a rule for destination is 192.168.98.0/24. And NextHop is gateway IP 192.168.1.63.

    (2)  Create a rule for destination is USG110 subnet 192.168.0.0/24. And NextHop is VPN tunnel which established with USG110.


  • Thanks @Zyxel_Stanley,
    I have tried a similar solution earlier without results.
    It will not work even if I follow your instructions.

    Do I need to set up any Policy Controls too?

    Is there any way to get a log about the tracie to see where the communication may stop.
  • CHS
    CHS Posts: 177  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Zyxelswede
    As I know if you would like to route the traffic to other network behind USG, then both of VPN setting must be "Site to Site" VPN.

    If one of site is using "Site to Site with Dynamic Peer". then policy route will unable route traffic into VPN tunnel.
  • Hi @CHS
    The VPN is Site to Site.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    You can login to USG210, and make sure if the packets has forwarded to VPN tunnel.
    (1) Login to your USG210 by SSH. And Enter this command: Router> packet-trace interface lan1 ip-proto icmp
    (2) Send the ICMP packets to 192.168.98.X from PC which behind USG110.

    If there is no reply from 192.168.98.X, then you can check routing setting on your gateway.
    And make sure firewall setting on you gateway and PC.
  • Thanks @Zyxel_Stanley!
    Strangest thing, tried to ping now and the ping went trough.
    The route is working just fine now :)
    Don't know why it didn't work before.

    Thanks again for all help!

Security Highlight