how can we create a ip sec vpn site to site with more than 1 subnet on the destination site
zyxel65376476876
Posts: 1 Freshman Member
USG20-VPN V4.32(ABAQ.0)
how can we create a ip sec vpn site to site with more than 1 subnet on the destination site
in remote policy subnet is added but cant select address group there - only 1 subnet
can't select address group that i created with multi subnets on the vpn connection page
on sonicwall i created groups that could be selcted under the vpn connection page
please can someone help or knows the trick with zyxel
how can we create a ip sec vpn site to site with more than 1 subnet on the destination site
in remote policy subnet is added but cant select address group there - only 1 subnet
can't select address group that i created with multi subnets on the vpn connection page
on sonicwall i created groups that could be selcted under the vpn connection page
please can someone help or knows the trick with zyxel
0
All Replies
-
There multiple solutions,
1. Using policy route to forward traffic to destination into the VPN tunnel on both side.
2. Using route-based VTI VPN instead of policy-based VPN.
3. Create another tunnel (if using policy-based VPN)
0 -
Agree with Ian in the previous post . We use (2) over VTI tunnels. Very straight forward with the exception of Policy control.
1. Policy Controls
You will need policy controls to permit access from zone IPSEC_VPN to LAN1 and LAN2 zones wit the usual filter of SOURCE and DESTINATION.
Do the same if you need to access L2TP clients via the VTI tunnel as well.
Enable details logging (to an external server) so you can test it all out. You'll find the traffic goes through however you be getting whacked on the other end as the Policy control with thwart the connection. ... it's easy to see i the logging.
2. Policy Routes
i.e Incoming VTI(1....n) , SOURCE=(external lan at a peer), Destination=filter_where_it_can_go, NEXT HOP.....+ etc, etc
You may need to enable SNAT where OUTGOING is a VTI tunnel ... otherwise the packets get lost ..
Use packet tracing in the USG (parse with Wireshark) and also the USG logging. (best to write logs from the USG appliances routers etc) to an external server ... (use syslog-ng or similar on mac os etc)
HTH
Warwick
Hong Kong0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 152 Nebula Ideas
- 100 Nebula Status and Incidents
- 5.8K Security
- 288 USG FLEX H Series
- 278 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 252 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 86 About Community
- 75 Security Highlight