How to forward traffic to branch site server after client established VPN tunnel
Zyxel_Stanley
Posts: 1,377 Zyxel Employee
Scenario: Site#A and SiteB are established site to site VPN tunnel. How to forward traffic to Site#B after client connected VPN tunnel to Site#A.
VPN client can be L2TP/SSL VPN/ IPSec VPN. Client will get the IP address which assigned by Site#A router.
In this scenario, VPN client got IP 10.10.10.1 after established L2TP VPN tunnel to Site#A.
You can add policy route rule on both of routers to forward traffic.
(1) On Site#A (Rule for traffic to Site#B)
(2) On Site#B (Rule for traffic back to Client on Site#A)
After added these rules on both of firewalls, then traffic is able forward to server without any problem.
1
Comments
-
Hi Stanley
hope you're doing well
I'm in very same scenario as described in your schema and I'm trying to make available Site B LAN subnet for VPN IPsec Clients. I added routing policy rules, but I still cannot reach Site B IPs.
Site A ZyWall 110
Site B USG Flex 200
VPN SitetoSite works ok
IPSEC VPN for clients connecting to Site A (10.10.10.0/24) work ok, clients can reach Local LAN. VPC Client use IP 10.11.11.10 - 100
Site A Routing Policy Rule
Site B Routing Policy Rule
I cannot get the routing to Site B work over VPN for the VPC clients. Any suggestion how this can be troubleshoot?
Rgds, Brano0 -
Hi @Brano
Can you try if it works following this guide?
https://support.zyxel.eu/hc/en-us/articles/360010904260-IPSec-VPN-Client-Routing-traffic-over-site-to-site-tunnel
Make sure the 10.11.11. Subnet is NOT configured on Site B (LAN or any other).
Kind Regards,
Tobias0 -
Thank you for your post Tobias.
I added route policies suggested by the guide, but packets are not still reaching Site B LAN.
Site A Routes
WIZ_Site2Site_Kop ---- Site2site VPN tunnel
WIZ_Site2Site_Kop_Remote ---- Site B LAN 10.10.20.0/24
VPN IP Range ---- VPN Clients IP range 10.11.11.1-200 it does not conflict with any existing subnet in my network
Dyn_Clt_SELF ---- Client IPsec VPN
Site B Routes
WIZ_Site2Site_Tur ---- Site2site VPN tunnel
WIZ_Site2Site_Tur_LOCAL ---- Site B LAN 10.10.20.0/24
VPN_Client ---- VPN Clients IP range 10.11.11.1-200
Well, I'm struggling to understand what may be preventing packet to flow there. Packet capture and inspection is not my strong suit.
Any advice is apprciated.
rgds, Brano
0 -
Brano,
Here the problem, 10.10.20.0/24 is not included in the local policy for client.
So that the traffic from client to 10.10.20.0/24 will not go into the VPN tunnel.
You can change the local policy to subnet 10.10.0.0/19 (10.10.0.0/24 ~ 10.10.31.0/24), which include both 10.10.10.0/24 and 10.10.20.0/24.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight