How to forward traffic to branch site server after client established VPN tunnel

Zyxel_Stanley

Scenario: Site#A and SiteB are established site to site VPN tunnel. How to forward traffic to Site#B after client connected VPN tunnel to Site#A.

VPN client can be L2TP/SSL VPN/ IPSec VPN. Client will get the IP address which assigned by Site#A router.

In this scenario, VPN client got IP 10.10.10.1 after established L2TP VPN tunnel to Site#A.

You can add policy route rule on both of routers to forward traffic.

(1) On Site#A (Rule for traffic to Site#B)

(2) On Site#B (Rule for traffic back to Client on Site#A)

After added these rules on both of firewalls, then traffic is able forward to server without any problem.

Brano

Hi Stanley
hope you're doing well
I'm in very same scenario as described in your schema and I'm trying to make available Site B LAN subnet for VPN IPsec Clients. I added routing policy rules, but I still cannot reach Site B IPs.
Site A ZyWall 110
Site B USG Flex 200

VPN SitetoSite works ok


IPSEC VPN for clients connecting to Site A (10.10.10.0/24) work ok, clients can reach Local LAN. VPC Client use IP 10.11.11.10 - 100



Site A Routing Policy Rule

Site B Routing Policy Rule 

I cannot get the routing to Site B work over VPN for the VPC clients. Any suggestion how this can be troubleshoot? 
Rgds, Brano

Zyxel_Tobias

Hi @Brano

Can you try if it works following this guide?

https://support.zyxel.eu/hc/en-us/articles/360010904260-IPSec-VPN-Client-Routing-traffic-over-site-to-site-tunnel

Make sure the 10.11.11. Subnet is NOT configured on Site B (LAN or any other).

Kind Regards,

Tobias

Brano

Thank you for your post Tobias.
I added route policies suggested by the guide, but packets are not still reaching Site B LAN. 

Site A Routes
WIZ_Site2Site_Kop  ---- Site2site VPN tunnel
WIZ_Site2Site_Kop_Remote  ---- Site B LAN 10.10.20.0/24
VPN IP Range ---- VPN Clients IP range 10.11.11.1-200 it does not conflict with any existing subnet in my network 
Dyn_Clt_SELF ---- Client IPsec VPN 


Site B Routes
WIZ_Site2Site_Tur ---- Site2site VPN tunnel
WIZ_Site2Site_Tur_LOCAL ---- Site B LAN 10.10.20.0/24
VPN_Client ---- VPN Clients IP range 10.11.11.1-200


Well, I'm struggling to understand what may be preventing packet to flow there. Packet  capture and inspection is not my strong suit.

Any advice is apprciated.

rgds, Brano

Ian31

Brano,
Here the problem, 10.10.20.0/24 is not included in the local policy for client.
So that the traffic from client to 10.10.20.0/24 will not go into the VPN tunnel.

You can change the local policy to subnet 10.10.0.0/19 (10.10.0.0/24 ~ 10.10.31.0/24), which include both 10.10.10.0/24 and 10.10.20.0/24.