USG60 problem forwarding traffic to branch site server after client established VPN tunnel
i have 3 USG60 configured in this way: one HQ connected with 2 branches offices (1 site to site VPN tunnel from HQ to branch office each,); i set up a VPN concentrator on HQ and routing policy for branch office A to get office B and i can reach remote subnets on each site.
I have a problem to reach office A and/or office B after a L2TP/ipsec or SSL VPN connection on HQ.
i tried this solution but for me is not working:
I tried to figure out what's wrong but i have no clue where i'm wrong.
Thank you in advance for the help and sorry for my english.
All Replies
-
0
-
0
-
Hi @PaoloC,
An alternative way is all internal network of all sites are in the same address subnet.
Then all remote sites can reach central site and other sites through central hub.
The attached file is the configuration example for your reference.
1 -
Hi @Zyxel_Emily ,
Thank You very much for the reply,
so i think i figured out where i was wrong; i have to configure SNAT and Disable “Use Policy Route to control dynamic IPSec rules”.
In order to complete the scenario each USG has one VPN tunnel established with an external Vmware cloud server (ABA_VPN, as you can see in the config file) and a client to site L2TP/IPSEC VPN and i have some questions about it:
1) For this external cloud server i need to treat this one as one of the Branches as in the notes on the image below?
2) In the example L2TP tunnel is established with HQ, i'll be able to reach all sites even if i establish a client access to one of the Branches to avoid too much bandwidt use on the HQ internet connection?
I hope I was clear.
Thank you in advance.
Cheers
0 -
Hi @PaoloC,
VPN concentrator is configured on HQ.
HQ subnet- 192.168.1.0/24
L2TP VPN client subnet on HQ- 192.168.70.0/24
BR1- 192.168.11.0/24
BR2- 192.168.10.0/24
Here are the policy routes on each device.
Attached are the configuration files for your reference.
Policy Routes on HQ
Rule 1
Incoming- L2TP VPN tunnel
Destination - BR1 subnet
Next Hop- VPN tunnel to BR1
Rule 2
Incoming- L2TP VPN tunnel
Destination - BR2 subnet
Next Hop- VPN tunnel to BR2
Rule 3 (Optional- for L2TP VPN clients to access Internet)
Incoming- L2TP VPN tunnel
Soucre- any
Destination - any
Next Hop- auto
SNAT- outgoing-interface
Policy Routes on BR1
Rule 1
Incoming- any
Destination - HQ's L2TP VPN client subnet
Next Hop- VPN tunnel to HQ
Rule 2
Source- BR1 subnet
Destination - BR2 subnet
Next Hop- VPN tunnel to HQ
Policy Routes on BR2
Rule 1
Incoming- any
Destination - HQ's L2TP VPN client subnet
Next Hop- VPN tunnel to HQ
Rule 2
Source- BR2 subnet
Destination - BR1 subnet
Next Hop- VPN tunnel to HQ
1 -
Hi @Zyxel_Emily ,
Thank you very much for Your reply.
I really appreciate your help, I've been away for a while and I'm going to try your suggestions as soon as I can; I will try to treat the external vmware cloud as one of two branches and let you know the results.
Thanks again, I take the opportunity to wish you a happy new year.
Cheers
Paolo
0
Zyxel Employee
Categories
- All Categories
- 390 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 220 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
