How to forward traffic to branch site server after client established VPN tunnel

Zyxel_Stanley Posts: 1,374  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited June 2022 in VPN

Scenario: Site#A and SiteB are established site to site VPN tunnel. How to forward traffic to Site#B after client connected VPN tunnel to Site#A.

VPN client can be L2TP/SSL VPN/ IPSec VPN. Client will get the IP address which assigned by Site#A router.

In this scenario, VPN client got IP after established L2TP VPN tunnel to Site#A.

You can add policy route rule on both of routers to forward traffic.

(1) On Site#A (Rule for traffic to Site#B)

(2) On Site#B (Rule for traffic back to Client on Site#A)

After added these rules on both of firewalls, then traffic is able forward to server without any problem.


  • Brano
    Brano Posts: 4
    First Comment
    Hi Stanley
    hope you're doing well
    I'm in very same scenario as described in your schema and I'm trying to make available Site B LAN subnet for VPN IPsec Clients. I added routing policy rules, but I still cannot reach Site B IPs.
    Site A ZyWall 110
    Site B USG Flex 200

    VPN SitetoSite works ok

    IPSEC VPN for clients connecting to Site A ( work ok, clients can reach Local LAN. VPC Client use IP - 100

    Site A Routing Policy Rule

    Site B Routing Policy Rule 

    I cannot get the routing to Site B work over VPN for the VPC clients. Any suggestion how this can be troubleshoot? 
    Rgds, Brano
  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @Brano

    Can you try if it works following this guide?

    Make sure the 10.11.11. Subnet is NOT configured on Site B (LAN or any other).

    Kind Regards,

  • Brano
    Brano Posts: 4
    First Comment
    Thank you for your post Tobias.
    I added route policies suggested by the guide, but packets are not still reaching Site B LAN. 

    Site A Routes
    WIZ_Site2Site_Kop  ---- Site2site VPN tunnel
    WIZ_Site2Site_Kop_Remote  ---- Site B LAN
    VPN IP Range ---- VPN Clients IP range it does not conflict with any existing subnet in my network 
    Dyn_Clt_SELF ---- Client IPsec VPN 

    Site B Routes
    WIZ_Site2Site_Tur ---- Site2site VPN tunnel
    WIZ_Site2Site_Tur_LOCAL ---- Site B LAN
    VPN_Client ---- VPN Clients IP range

    Well, I'm struggling to understand what may be preventing packet to flow there. Packet  capture and inspection is not my strong suit.

    Any advice is apprciated.

    rgds, Brano
  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Here the problem, is not included in the local policy for client.
    So that the traffic from client to will not go into the VPN tunnel.

    You can change the local policy to subnet ( ~, which include both and