how can we create a ip sec vpn site to site with more than 1 subnet on the destination site

zyxel65376476876 Posts: 1
edited April 2021 in Security
USG20-VPN V4.32(ABAQ.0)

how can we create a ip sec vpn site to site with more than 1 subnet on the destination site

in remote policy subnet is added but cant select address group there -  only 1 subnet  

can't select address group that i created with multi subnets on the vpn connection page

on sonicwall i created groups that could be selcted under the vpn connection page

please can someone help or knows the trick with zyxel

All Replies

  • Ian31
    Ian31 Posts: 168  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    There multiple solutions,
    1. Using policy route to forward traffic to destination into the VPN tunnel on both side.
    2. Using route-based VTI VPN instead of policy-based VPN.
    3. Create another tunnel (if using policy-based VPN) 

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Agree with Ian in the previous post . We use (2) over VTI tunnels. Very straight forward with the exception of Policy control.

    1. Policy Controls 
    You will need policy  controls to permit access from zone IPSEC_VPN to LAN1 and LAN2 zones wit the usual filter of SOURCE and DESTINATION.

    Do the same if you need to access L2TP clients via the VTI tunnel as well.

    Enable details logging (to an external server) so you can test it all out. You'll find the traffic goes through however you  be getting whacked on the other end as the Policy control with thwart the connection. ... it's easy to see i the logging. 

    2. Policy Routes
    i.e Incoming VTI(1....n) , SOURCE=(external lan at a peer), Destination=filter_where_it_can_go, NEXT HOP.....+ etc, etc 

    You may need to enable SNAT where OUTGOING is a VTI tunnel ... otherwise the packets get lost ..

    Use packet tracing in the USG (parse with Wireshark) and also the USG logging. (best to write logs from the USG appliances routers etc) to an external server ... (use syslog-ng or similar on mac os etc) 


    Hong Kong 

Security Highlight