Vpn site to site
Hi we have to establish a VPN site to site whith a client where we worked for.
We are the client in VPN situation the BranchOffice
He gave US
His VPN gateway 62.97.xx.zz (for privacy I have not published it)
We ave a preshared KEY and algo for v1 and v2
Now the problem
we have to show us as 10.201.104.30
and we have to go on remote adress
10.100.9.0/24
10.100.10.0/24
10.211.12.0/24
10.210.21.0/24
10.209.21.0/24
10.209.24.0/24
In our old USG20(first version) we have built VPN one for each remote adress (we have to use less VPN only first and third one).
1)we have created VPN gateway
2)on each VPN we have
2.1)remote policy with ip 10.201.104.30
2.2)local policy with one of the subnet 10.100.10.0/24
Then we crate a routing policy to route all traffic from a LAN to a specific SUBNET using the next hop a specific VPN
_________________________________________________
Now we have a brand new USG60 the question is :
Is the corrct aproach to build several VPN or can I build only one and then do something to set the local policy and routing in correct mode.
All Replies
-
Hi @GST
Welcome to Zyxel community
Yes, if the policy route is correctly setup and the routing is correct, it is fine to build up one tunnel to access different subnet.
Regarding to the topology you deployed, it’s our suggestion that you can implement VTI to achieve the purpose.
VTI VPN Tunnel Interface is used to configure IPSec-based VPNs between site-to-site devices, and it similar to other physical interfaces so that policy route, static route and trunk can be applied when the tunnel is activated.
Here is the FAQ of how to setup IPSec site-to-site VPN by using VTI on the USG .
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015634&lang=EN
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
I have tested the setting,
In My config
1) I have creaed a new VPN IPSEC Connection. I have Setted It a VPN Tunnl Interface and selected the correct VPN Gateway
2) I have made a try to create a VTI but it return an error:
2.1)name vti1
2.2) the IP ......
we have to show us as 10.201.104.30 (Remote policy)
and we have to go on remote adress (Local Policy)
10.100.9.0/24
10.100.10.0/24
10.211.12.0/24
10.210.21.0/24
10.209.21.0/24
10.209.24.0/24
How to translate as VTI??
3)In previous config I have to set NAT
where are SNAT
3.1)OUT NAT
source: lan1 subnet
dest 10.100.9.0/24(Local policy)
SNAT 10.201.104.30(Remote policy)
3.1)IN NAT
source:10.100.9.0/24(Local policy)
dest 10.201.104.30(Remote policy)
SNAT lan1 subnet
0 -
Hi @GST
You can add your IP address into the group.
And set a policy route to make these IP address go into VTI tunnel.
Here is the step to add IP address into the group
Go to Configuration > Object > Address/Geo IP > Address Group > click Add
Then can setup the policy route for the these subnet.
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
mmm....
i ended up doing this
0) Create keep the old VPN Gatevay1) I have creaed a new VPN IPSEC Connection. I have Setted It a VPN Tunnl Interface and selected the correct VPN Gateway
2) I setted the VTI as follow.
zone IPSEC_VPNvpnrule the VPN at point 1
ip adress 10.201.104.30(remote policy)net mask 255.0.0.0
the i go in routing policy route.
this choice is like rolling a diece without know what is the purpose of this setting or any help
actualli I have N policy but is possible to zip in one with last suggestion
source LAN1_subnetdestination one of the local policy 10.100.9.0/24next hop interface VTISNAT 10.201.104.30(remote policy)
with my surprise this work in both direction so i have not to create the returning rule.
0 -
Engage in the Community, become an MVP, and win exclusive prizes!
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight