Contacting a spesific network when on VPN

Options
TES
TES Posts: 1 image  Freshman Member
edited April 2021 in Security
I'm currently having my users connecting to our USG-310 with SSL VPN so they are able to get access to local resources, but they are unable to contact another subnet which a spesific service are running on (site-to-site VPN)

I've tried adding the VPN-Destination subnet to the network list under the SSL VPN policy and even secuextender list the correct network but still are unable to contact that network, do i need to do some routing here to make this work?

Member is the VPN group network the secuextender is joingin
Destination address is the subnet i want them to be able to access


Hopefully this makes sense, not to known with the VPN part of networking etc yet :)

All Replies

  • Ian31
    Ian31 Posts: 174 image  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    @TES,
    You need to select the Site-to-Site VPN tunnel as Next-hop. 
    Also, on the peer VPN gateway to configure the return route rule as well.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,436 image  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Eighth Anniversary

    Hi @TES

    Your topology should be like this:

    SSL VPN Client------USG#1====[VPN]====USG#2

     

    At currently SSL VPN client is able access to network resource behind USG#1, but unable reach to USG#2.

    You have to add policy route on both of USGs. 

    On USG#1

    Add policy route to route SSL VPN client traffic to USG#2.

    Source: SSL VPN IP Pool, Destination: USG#2 IP Subnet, Next Hop: VPN tunnel, SNAT: none.


    On USG#2

    Add policy route to route traffic back to SSL VPN client.

    Source: any, Destination: SSL VPN IP Pool, Next Hop: VPN tunnel, SNAT: none.


    After added these rules on both of USG, then SSL VPN client should able access to network resource behind USG#2.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)