How to prevent traffic to directly connected subnets being sent through IPSec VPN tunnel ?

dsi_blois_fr

@PeterUK :

I tried your suggestion a bit differently.

I defined two ranges:

Include_Range_1: 0.0.0.0-192.168.104.255

Include_Range_2: 192.168.110.0-255.255.255.255

Which are everything below 192.168.105.0 and after 192.168.109.255, my local ip subnets.

The zywall 50H doesn't accept ranges in static routes. But it does in Policy Routes (don't ask me why), so I did this:

And with this everything seems to be working the way I want. It is definitely not clean, but it works.

I'll run some more tests to be sure.

PeterUK

You got what I said a bit wrong I'm talking about the VPN policy routes not the routes outside VPN settings 

From what I can tell your now using VTI that zyman2008 said so that a workaround if it works for you so it looks like VTI with routing rules are obeyed just not Policy-based.

dsi_blois_fr

Hi,

@PeterUK

Well, I didn't find "VPN policy routes" on the GUI of the 50H. I only found the "Policy Route" and "Static Route" under Network/Routing.

But it doesn't matter. I managed to do what I wanted, even if I didn't understand why I had to do all this.

I can't believe how much time it took me to achieve such a simple thing. And I find this Zywall"s behaviour is often peculiar. I'm pretty disappointed with it, to be honest.

But well, it works.

Thank you everyone for your help, and particularly @PeterUK .

P.S.: This seems to work too, and it's cleaner I think:

"ALL_SUBNETS" is 0.0.0.0/0