IPSec VTI VPN access device in overlapping subnet
Hi all,
i've two USG FLEX 200 connected with Point-to-Point WiFi and IPSec VPN with VTI as backup. This setup works fine, both subnets 10.50.0.0/16 and 10.60.0.0/16 can reach each other. Now I want to access 10.70.70.20/32 from 10.50.0.0/16 and 10.70.70.10/32 from 10.60.0.0/16 over the IPSev VPN (when the PtP WiFi connection is lost).
To reach 10.70.70.20/32 from 10.50.0.0/16 while PtP WiFi connection is established i've added the following Policy Rule:
User: any
Schedule: none
Incoming: any (excluding ZyWALL)
Source: any
Destination: 10.70.70.20
DSCP Code: any
Service: any
Source port: any
Next-Hop: Gateway 10.70.70.2
DSCP Marking: preserve
SNAT: outgoing-interface
Which route i've to add to reach 10.70.70.20/32 from 10.50.0.0/16 via IPSec VPN VTI?
The following Policy Rule does not work:
User: any
Schedule: none
Incoming: any (excluding ZyWALL)
Source: any
Destination: 10.70.70.20
DSCP Code: any
Service: any
Source port: any
Next-Hop: Interface vti0
DSCP Marking: preserve
SNAT: none
Thank you!
Best,
baba
All Replies
-
The direct route 10.70.70.0/X will take the first priority.
So that policy route will not hit.
You need to turn on advanced option "Policy Route overwrite Direct Route".
It's powerful but with risk(mis-configuration).
Be careful to review all the policy routes to prevent rule to take over all direct route.
Especially the policy route with destination: any
0 -
@Zyxel_Joshua Do I need the "Policy Route overwrite Direct Route" option? I have
noone (see next post) policy rule with destination any and some with source any. At PtP WiFi route it work as aspected without this advanced option.0 -
I was wrong, I have a policy rule with destination any, to forward all WAN traffic from Site B to Site A (via PtP WiFi)
Route #6 isn't working (it is only disabled because its not working)
Route #3 is the working PtP WiFi route without the "Policy Route overwrite Direct Route" optionIs it safe to enable the "Policy Route overwrite Direct Route" option with this routes?
0 -
@Zyxel_Joshua can you help me with checking the above rules are save for the "Policy Route overwrite Direct Route" option? As long as I can still reach the USG FLEX via the internal network, everything is fine.
0 -
Hi @baba
I want to confirm with you first,
The requirement is once the WiFi link break.
Then switch the route to IPSec VTI link to the peer, even the peer address 10.70.70.X is in direct connect subnet.
Second, the source IP address will keep not be translate (SNAT) ?
0 -
@Zyxel_Joshua you are correct in both points 👍️
0 -
@Zyxel_Joshua As far as I can see, with VTI you can only set the SNAT to none
0 -
Wait for a few days.
Doing the POC on my lab.
1 -
@Zyxel_Joshua keep in mind that 10.70.70.20 must be routed to the VTI VPI, but 10.70.70.10 must still be accessible via the internal interface. So only 10.70.70.20 must be routed through VTI VPN not whole 10.70.70.X
0 -
Hi @baba ,
Here the configuration comments for the case.
- Enable "Allow Asymmetrical Route" on Security Policy > Policy control page , to pass the stateful firewall checking.
Usually, if the network setup need to use Policy Route overwrite direct route. There a triangle route issue need to take care.
In this case, on both USG FLEX 10.70.70.X interface has triangle route packets. (the green circle)
2. Enable Policy Route overwrite direct route and setup policy routes.
(This example is for USG FLEX on the left hand side)
(1) Rule 1, 4 is the primary/backup route for 10.50.0.0/16 to 10.60.0.0/16
(2) Rule 2,5 is the primary/backup route for USG FLEX itself to 10.60.0.0/16
(3) Rule 3,6 is the primary/backup route for 10.50.0.0/16 to 10.70.70.20
Note: All packets is send without SNAT
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight