IPSec VTI VPN access device in overlapping subnet

baba
baba Posts: 280  Master Member
First Comment Friend Collector First Anniversary
edited August 2023 in Security

Hi all,

i've two USG FLEX 200 connected with Point-to-Point WiFi and IPSec VPN with VTI as backup. This setup works fine, both subnets 10.50.0.0/16 and 10.60.0.0/16 can reach each other. Now I want to access 10.70.70.20/32 from 10.50.0.0/16 and 10.70.70.10/32 from 10.60.0.0/16 over the IPSev VPN (when the PtP WiFi connection is lost).

To reach 10.70.70.20/32 from 10.50.0.0/16 while PtP WiFi connection is established i've added the following Policy Rule:
User: any
Schedule: none
Incoming: any (excluding ZyWALL)
Source: any
Destination: 10.70.70.20
DSCP Code: any
Service: any
Source port: any
Next-Hop: Gateway 10.70.70.2
DSCP Marking: preserve
SNAT: outgoing-interface

Which route i've to add to reach 10.70.70.20/32 from 10.50.0.0/16 via IPSec VPN VTI?
The following Policy Rule does not work:
User: any
Schedule: none
Incoming: any (excluding ZyWALL)
Source: any
Destination: 10.70.70.20
DSCP Code: any
Service: any
Source port: any
Next-Hop: Interface vti0
DSCP Marking: preserve
SNAT: none

Thank you!

Best,
baba

«1

All Replies

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 62  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary

    The direct route 10.70.70.0/X will take the first priority.

    So that policy route will not hit.

    You need to turn on advanced option "Policy Route overwrite Direct Route".

    It's powerful but with risk(mis-configuration).

    Be careful to review all the policy routes to prevent rule to take over all direct route.

    Especially the policy route with destination: any

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    edited August 2023

    @Zyxel_Joshua Do I need the "Policy Route overwrite Direct Route" option? I have no one (see next post) policy rule with destination any and some with source any. At PtP WiFi route it work as aspected without this advanced option.

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    edited August 2023

    I was wrong, I have a policy rule with destination any, to forward all WAN traffic from Site B to Site A (via PtP WiFi)

    Route #6 isn't working (it is only disabled because its not working)
    Route #3 is the working PtP WiFi route without the "Policy Route overwrite Direct Route" option

    Is it safe to enable the "Policy Route overwrite Direct Route" option with this routes?

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary

    @Zyxel_Joshua can you help me with checking the above rules are save for  the "Policy Route overwrite Direct Route" option? As long as I can still reach the USG FLEX via the internal network, everything is fine.

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 62  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited August 2023

    Hi @baba

    I want to confirm with you first,

    The requirement is once the WiFi link break.

    Then switch the route to IPSec VTI link to the peer, even the peer address 10.70.70.X is in direct connect subnet.

    Second, the source IP address will keep not be translate (SNAT) ?

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    edited August 2023

    @Zyxel_Joshua you are correct in both points 👍️

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary

    @Zyxel_Joshua As far as I can see, with VTI you can only set the SNAT to none

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 62  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary

    @Zyxel_Joshua keep in mind that 10.70.70.20 must be routed to the VTI VPI, but 10.70.70.10 must still be accessible via the internal interface. So only 10.70.70.20 must be routed through VTI VPN not whole 10.70.70.X

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 62  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited August 2023

    Hi @baba ,

    Here the configuration comments for the case.

    1. Enable "Allow Asymmetrical Route" on Security Policy > Policy control page , to pass the stateful firewall checking.

    Usually, if the network setup need to use Policy Route overwrite direct route. There a triangle route issue need to take care.

    In this case, on both USG FLEX 10.70.70.X interface has triangle route packets. (the green circle)

    2. Enable Policy Route overwrite direct route and setup policy routes.

    (This example is for USG FLEX on the left hand side)

    (1) Rule 1, 4 is the primary/backup route for 10.50.0.0/16 to 10.60.0.0/16

    (2) Rule 2,5 is the primary/backup route for USG FLEX itself to 10.60.0.0/16

    (3) Rule 3,6 is the primary/backup route for 10.50.0.0/16 to 10.70.70.20

    Note: All packets is send without SNAT

Security Highlight