VPN into Main WAN VPN

Charles_MCE Posts: 2
First Comment
edited April 2021 in Security
Howdy all. I have looked and have quite found what I need to get my senario working

7 location business connected with a usg310 and 6 usg60's through IPSEC vpn. Works great
Added account to to zyxel to verify against AD.
Added SSL VPN to the 310. Thought it was working great since I could access our main location.

The ssl vpn seem to only have access to the 310 network and not of the other offices.

Support says I need to set up policy routes of force  traffic over tunnel. CLicked force over tunnel and still nothing.

Unsure of the setting up of policies since I have not yet found any examples for my general scenario.

Any suggestions?

Would there be a better way to set this up?

Thank you in advance

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2019
    First, here a best practice of multi-sites you can reference.
    If you had well planning of private IP address space of sites. You don't need to use policy routes.

    But if the IP address space cannot change. Then you need add policy route on both main and other sites. Because of the auto route of site-to-site VPN only define the route between main office and other offices. But didn't include the VPN client to other offices. Also on other office didn't include the route back to IP address of VPN client.

    So that you need add policy route on main office, one for one office. And then add policy route on each office site for traffic back to VPN client.
    Here the example route flow for SSL VPN client to main office and then office A.
      SSL VPN clinet--->main office(add policy route for client to office A)--->site-to-site VPN--->office A
    Then on office A, add return route back to SSL VPN client
      office(add policy route for office A to client)--->site-to-site VPN--->main office--->SSL VPN client

    And for SSL VPN settings on main office,
    If you want to force VPN client to forward all traffic into SSL VPN tunnel.
    Then, check the option "Force all client traffic to enter SSL VPN tunnel"

    If you want SSL VPN client to split route.
    Then, un-check "Force all client traffic to enter SSL VPN tunnel"
    And add the Network address object, which the VPN client can access to, into Network List.

  • Charles_MCE
    The tunnels were set up long before I start with this company. I have just introduced them to the external vpn option for the admins and executives when out.

    I do have that box checked. It help resolve a couple other issues.

    I am checking out the ling you included.

    I will give it a try and let you know

Security Highlight