USG 110 SSL client multi VPN

Ondrej · April 2019

Hi

I have created 3 site-to- site IPSec VPN tunnels.

HQ to branch1,2,3

All works ok.

When SSL client /secuextender/ connect to HQ, can browse HQ lan, but cannot browse/

Image: https://us.v-cdn.net/6029482/uploads/editor/dz/fv6k9ppvr7qd.jpg

ping BR1,2,3.

All Lan is allowed in Selected Objects.

What is wrong?

THX.

Ian31 · April 2019

The IP address space of your SSL VPN clients is 192.168.100.100-120
So if your are using policy-based IPSec site-to-site tunnel.
The VPN connection setting of local poly in HQ and remote policy need to include the IP address space of SSL VPN clients.

Zyxel_Stanley · April 2019

Hi @Ondrej

Welcome to Zyxel community.

You topology:

SSL Client(192.168.100.100)--------HQ(HQ subnet)========[VPN]======Branch(Branch Subnet)

As your scenario, SSL VPN client is able access to HQ subnet but unable access to branch subnet.

You can go to make sure if you have added routing for SSL VPN client on both of devices.

(1) On HQ device. The “branch subnet” have to add into network list of SSL VPN.

(2) Add policy route on HQ device.

Destination: Branch subnet, NextHop: VPN tunnel.

Image: https://us.v-cdn.net/6029482/uploads/editor/b4/ivx7itfog6mn.png

(3) Add policy route on Branch device.

a. Incoming: ZyWALL, Destination IP: SSL VPN Pool. NextHop: VPN (It is for access to Branch ZyWALL)

b. Incoming: any, Destination IP: SSL VPN Pool, NextHop: VPN (It is for access to branch subnet)

Image: https://us.v-cdn.net/6029482/uploads/editor/dv/ujh71cjx1nzt.png

Ian31 · April 2019

The IP address space of your SSL VPN clients is 192.168.100.100-120
So if your are using policy-based IPSec site-to-site tunnel.
The VPN connection setting of local poly in HQ and remote policy need to include the IP address space of SSL VPN clients.

Zyxel_Stanley · April 2019

Hi @Ondrej

Welcome to Zyxel community.

You topology:

SSL Client(192.168.100.100)--------HQ(HQ subnet)========[VPN]======Branch(Branch Subnet)

As your scenario, SSL VPN client is able access to HQ subnet but unable access to branch subnet.

You can go to make sure if you have added routing for SSL VPN client on both of devices.

(1) On HQ device. The “branch subnet” have to add into network list of SSL VPN.

(2) Add policy route on HQ device.

Destination: Branch subnet, NextHop: VPN tunnel.

(3) Add policy route on Branch device.

a. Incoming: ZyWALL, Destination IP: SSL VPN Pool. NextHop: VPN (It is for access to Branch ZyWALL)

b. Incoming: any, Destination IP: SSL VPN Pool, NextHop: VPN (It is for access to branch subnet)

Ondrej · May 2020

HI Zyxel_Stanley

thanks, thanks very much.

USG 110 SSL client multi VPN

Best Answers

All Replies

Categories

Security Highlight

Security Help Center