Contacting a spesific network when on VPN

TES Posts: 1
edited April 2021 in Security
I'm currently having my users connecting to our USG-310 with SSL VPN so they are able to get access to local resources, but they are unable to contact another subnet which a spesific service are running on (site-to-site VPN)

I've tried adding the VPN-Destination subnet to the network list under the SSL VPN policy and even secuextender list the correct network but still are unable to contact that network, do i need to do some routing here to make this work?

Member is the VPN group network the secuextender is joingin
Destination address is the subnet i want them to be able to access

Hopefully this makes sense, not to known with the VPN part of networking etc yet :)

All Replies

  • Ian31
    Ian31 Posts: 165
    5 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    You need to select the Site-to-Site VPN tunnel as Next-hop. 
    Also, on the peer VPN gateway to configure the return route rule as well.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,296
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Zyxel Employee

    Hi @TES

    Your topology should be like this:

    SSL VPN Client------USG#1====[VPN]====USG#2


    At currently SSL VPN client is able access to network resource behind USG#1, but unable reach to USG#2.

    You have to add policy route on both of USGs. 

    On USG#1

    Add policy route to route SSL VPN client traffic to USG#2.

    Source: SSL VPN IP Pool, Destination: USG#2 IP Subnet, Next Hop: VPN tunnel, SNAT: none.

    On USG#2

    Add policy route to route traffic back to SSL VPN client.

    Source: any, Destination: SSL VPN IP Pool, Next Hop: VPN tunnel, SNAT: none.

    After added these rules on both of USG, then SSL VPN client should able access to network resource behind USG#2.

Security Highlight