Policy routing for L2TP VPN

alexpe
alexpe Posts: 42  Freshman Member
First Comment Friend Collector Fourth Anniversary

Hello everyone,

In our office we have two site-to-site tunnels with external clients. Configured with SNAT and routing rules. We can access it perfectly from our office subnet, but we need to be able to access it from our users' connections through the L2TP VPN. I explain the assembled infrastructure in the diagram.

For routing access to the two site-to-site I have the following configuration:

I am trying to be able to route to those two site-to-site from L2TP VPN access. I have tried many ways but I can't get there.

I have read in other posts that the USG does not allow SNAT traffic to be routed within the L2TP tunnel.

Can someone help me with this?

Thank you very much in advance.

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 13

    Have you enabled Inbound/Outbound traffic NAT on My office?

    You might have to re-upload the layout as its hard to see along with what you want like my office to what site x and site x to office. But from what I see you want L2TP VPN to go over the site to site to each site on the right which might mean you need to do two site to site tunnels to each on the right with Inbound/Outbound traffic NAT

    So I get the problem the three sites have the same subnet LAN 172.26.0.x and you need to use Inbound/Outbound traffic NAT to change to source.

    One problem from what I can tell top right of the layout that your SNAT subnet should match your source subnet and destination subnet \24.

  • alexpe
    alexpe Posts: 42  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    HI @PeterUK,

    Thanks for your help.

    I don't quite understand what you mean by enabling NAT traffic in my office.

    I don't have the problem in all three places. As I explained, everything works perfectly inside my office and both of us get from place to place. The problem I have is with people who access from outside the office using L2TP VPN.

    I attach the diagram of how it is configured so you can see it better.

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    The problem is made more complicated with the use of Inbound/Outbound traffic NAT on the site to site because you reuse of LAN subnet 172.26.0.x/24

    is there a site to site setup on office?

  • alexpe
    alexpe Posts: 42  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    Yes, from the office you can access two site-to-site as indicated in the diagram. Each site-to-site has a SNAT configuration.

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 13

    Is the following correct due to limited info may not be correct

    So the office on the left has two site to site tunnel links

    on office to top right

    local policy 192.168.64.0./24

    remote policy 10.148.18.128/27

    Inbound/Outbound traffic NAT

    source NAT

    source 192.168.64.0./24

    destination 10.148.18.128/27

    SNAT ?

    destination NAT original IP ? To mapped IP 172.26.0.x/24

    on office to bottom left

    local policy 192.168.69.0./24

    remote policy 172.27.0.0/24

    Inbound/Outbound traffic NAT

    source NAT

    source 192.168.69.0./24

    destination 172.27.0.0/24

    SNAT ?

    destination NAT original IP ? To mapped IP 172.26.0.x/24

    with top right local/remote policy

    local policy 10.148.18.128/27

    remote policy 192.168.64.0./24

    Inbound/Outbound traffic NAT

    source NAT

    source 172.26.0.x/24

    destination 192.168.64.0./20

    SNAT 10.148.18.128/27

    destination NAT original IP 192.168.64.0./24 To mapped IP 172.26.0.x/24

    with bottom left local/remote policy

    local policy 172.27.0.0/24

    remote policy 192.168.69.0./24

    Inbound/Outbound traffic NAT

    source NAT

    source 172.26.0.x/24

    destination 192.168.69.0./24

    SNAT 172.27.0.0/24

    destination NAT original IP 192.168.69.0./24 To mapped IP 172.26.0.x/24

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 13

    So I have a test setup and I think you will need to add two more tunnels

    on office to top right

    local policy 10.2.0.0/24

    remote policy 192.168.10.0./24

    Inbound/Outbound traffic NAT

    source NAT

    source 10.2.0.0/24

    destination 192.168.40.0./24

    SNAT 10.20.0.0/24

    destination NAT original IP 192.168.60.0./24 To mapped IP 10.2.0.0/24

    on office to bottom left

    local policy 10.2.0.0/24

    remote policy 192.168.20.0./24

    Inbound/Outbound traffic NAT

    source NAT

    source 10.2.0.0/24

    destination 192.168.50.0./24

    SNAT 10.30.0.0/24

    destination NAT original IP 192.168.70.0./24 To mapped IP 10.2.0.0/24

    with top right local/remote policy

    local policy 192.168.10.0./24

    remote policy 10.2.0.0/24

    Inbound/Outbound traffic NAT

    source NAT

    source 172.26.0.0/24

    destination 192.168.60.0./24

    SNAT 192.168.30.0./24

    destination NAT original IP 192.168.40.0./24 To mapped IP 172.26.0.0/24

    with bottom left local/remote policy

    local policy 192.168.20.0./24

    remote policy 10.2.0.0/24

    Inbound/Outbound traffic NAT

    source NAT

    source 172.26.0.0/24

    destination 192.168.70.0./24

    SNAT 192.168.20.0./24

    destination NAT original IP 192.168.50.0./24 To mapped IP 172.26.0.0/24

    Then add routeing of the VPN L2TP down the new site to site tunnel

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 14

    More info on the setup your looking for on a test setup I did you just have to add more tunnels

Security Highlight