VPN routing between three sites with new H series and legacy Flex and third party firewall
Freshman Member
Hi!
Scenario, where we have site-to-site tunnel between site 1 (USG Flex 200) and 3rd party site. Now we would want to have vpn-connection from new site 2 (USG Flex 50H) to 3rd party site via site 1. With two USG FLEX firewall's this routing is possible with Policy routes. I have tried similar setup, so that between site 1 and 2 there is VTI and traffic is okay between sites 1 and 2, but I cannot get it to work from site 2 to 3rd party site via site 1. Is it possible to get routing work between three sites, if sites 1 and 2 have route-based vpn and site 1 and 3rd party has policy-based vpn? At least for now, I am not able to change site1 - 3rd party site vpn to route-based.
Best Regards
All Replies
-
I take it all three sites have different LAN subnets? Such that we can say
site 1 subnet 1
site 2 subnet 2
3rd party site subnet 3So with the VTI on site 2 a routing rule at the top of the list with
incoming LAN subnet 2
Destination Address subnet 3
next hop VTI
SNAT nonethen on site 1 routing rule at the top of the list with
incoming VTI
Source Address subnet 2
Destination Address subnet 3
next hop VPN tunnel to site 3With the Policy Control rules to allow the following this gets you from subnet 2 to subnet 3 then the problem is this 3rd party site needs to route the Destination subnet 2 down the VPN tunnel.
when thats done you then might need a static route on site 1 with
subnet 2
interface VTI
0
Guru Member
Categories
- All Categories
- 438 Beta Program
- 2.7K Nebula
- 183 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 449 USG FLEX H Series
- 301 Security Ideas
- 1.6K Switch
- 80 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 276 Service & License
- 434 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 91 Security Highlight
