How do I policy route WAN traffic for a single device through Site to Site IPSec tunnel?

I have an existing USG, site-to-site Ipsec VPN connection set up with a Remote site (subnet 192.168.3.0/24; gateway 192.168.3.1) connected to a Main site (10.2.10.0/24; gateway 10.2.10.1)

Remote traffic from the LAN1 out to the WAN ordinarily goes by default through the Remote WAN interface).

I have a specific device on the Remote network (192.168.3.200) whose WAN traffic I require to go through the IPSec tunnel, such that after NAT, the traffic appears to come from the Main IP address, rather than the Remote IP address, like an SSL VPN connection to the Main device. For the remainder of the devices on the Remote network, I would like their WAN traffic to continue through the Remote WAN interface.

Please someone walk me through the proper Policy Route set-up (and any additional Interface setup that may be required) in order to route the traffic from the Remote device through the IPSec VPN tunnel and out the Main device to the WAN, whilst leaving the remainder of the Remote WAN traffic using the device WAN.

All Replies

  • PeterUK
    PeterUK Posts: 2,705  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    On the Remote site make routing rule

    incoming LAN1

    source IP 192.168.3.200

    next hop

    VPN tunnel to main site

    Policy Control

    LAN1 to VPN zone

    on main site

    incoming VPN tunnel

    source IP 192.168.3.200

    next hop WAN

    SNAT outgoing-interface

    Policy Control

    VPN zone to WAN

  • bretdFW
    bretdFW Posts: 4
    First Comment

    So far, not quite working, although at least part of that might also be my configuration of the Main Route & Security Policy. The Main device is a different vendor so the interface layout & terminology is somewhat different. As this is a Zyxel forum, I don't expect you to review those settings, but could you verify from the screen shots above that I have the correct settings on the Remote device?

  • PeterUK
    PeterUK Posts: 2,705  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 27

    Looks correct for remote side

    Have site to site the Main device being a different vendor might not support what your trying to do.

    You may try site to site the Main device local policy 0.0.0.0/0 remote policy 192.168.3.0/24

    and on Remote site local policy 192.168.3.0/24 remote policy 0.0.0.0/0

    you the may need on the Remote site a routeing rule for all other IPs go out the WAN

  • bretdFW
    bretdFW Posts: 4
    First Comment

    Will attempt troubleshooting the Main device settings, and failing that; I will attempt your alternate suggestion.

    Will let you know how it turns out. Thanks for your help!

  • bretdFW
    bretdFW Posts: 4
    First Comment

    Refresher: Still attempting to drive all WAN traffic from a device (192.168.3.200) on a remote network (Remote3) through an IPSec_VPN tunnel to a different site, such that with NAT, the 192.168.3.200 device appears to come from a different site, a la an SSL_VPN connection, while all remaining WAN traffic on Remote3 continues through the ZyXel router as normal/default*


    *The specific reason for doing so is some Geolocation servers have erroneously relocated the Remote3 WAN IP from US to Canada, where services utilized by the device are not permitted. So we need the device traffic to appear to come from an WAN IP address that is geolocated within the US.


    Since I was unsuccessful routing traffic from Remote3 to our main location (Remote3 uses a ZyXel router/VPN; the main uses a different vendor router/VPN), I've instead created a tunnel (Remote3-Remote2) between Remote3 (192.168.3.0/24) and Remote2 (192.168.2.0/24) sites, both which use identical ZyXel Router/VPN.

    With the Remote3-Remote2 tunnel open & nailed up, I have created the following Routing Policy on Remote3 ZyXel:

    Status: active; User: any; Schedule: none; Incoming: lan1; Source: 192.168.3.200; Destination: any; DSCP Code: any; Service: any; Source Port: any; Next-Hop: Remote3-Remote2; DSCP Marking: preserve; SNAT: none;

    and the following Security Policy on Remote3 ZyXel:

    Status: active; Name LAN1_to_IPSec_Device; From: LAN1; To: IPSec_VPN, IPv4 Source: 192.168.3.200, IPv4 Destination: any, Service: any; User: any; Schcedule: none; Action: allow; Log: no

    On the Remote2 Zyxel, I have created the following Policy Route:

    Status: active; User: any; Schedule: none; Incoming: Remote3-Remote2; Source: 192.168.3.200; Destination: any; DSCP Code: any; Service: any; Source Port: any; Next-Hop: wan; DSCP Marking: preserve; SNAT: outgoing-interface;

    and the following Security Policy on Remote2 Zyxel:

    Status: active; Name IPSec_VPN_Outgoing_Device; From: IPSec_VPN; To: WAN, IPv4 Source: 192.168.3.200, IPv4 Destination: any, Service: any; User: any; Schedule: none; Action: allow; Log: no

    I am still missing something somewhere, because with the above policies active, the 192.168.3.200 device does not connect to the WAN. Any additional insight as to what settings (or Advanced settings) I'm missing or need to check would be appreciated.

Security Highlight