VPN tunnel between two USG20's with pass-through internet access for some public IP's

MartinD
MartinD Posts: 3  Freshman Member
First Comment
edited April 2021 in Security

Hi community,

We are connecting two site, #1 (in Australia) and #2 (in Denmark) using two USG20-VPN devices, one in each end. We need to connect the two offices in a way that site #1 is integrated with site #2 and so #1 can access the internet using the public ip address of #2 in some circumstances. Also, the Australian site should NOT be visible to LAN devices on the Danish LAN, but the Danish SHOULD be visible to the Australian site. Site #1 is on a dynamic public IP. Site #2 is on fixed public IP.

Specifically, we are trying to achieve the following objectives:

All LAN ip addresses in site 2 must be visible and accessible to LAN ip addresses from site 1 (must have feature)

AND

All LAN ip addresses in site 1 should NOT be visible or accessible to LAN ip addresses from site 2 (Would like to have feature)

AND

All internet traffic originating from Site 1 bound for Danish public IP addresses must be routed through site 2 and get the WAN ip of site 2 (preferred feature)

OR

All internet traffic from site 1 must get the public IP address of the site 2 WAN interface regardless of destination (secondary option if the preferred feature cannot be achieved)

Is someone able to link provide the configuration steps to achieve the above, or link to an article that describes the steps? We have not been able to find them. We have managed to establish a VPN tunnel but struggle to get any traffic bound for the internet routed through site #2 and out on the internet. Rather than explaining what we must have done wrong, i'm hopeful that someone can inform us how to do it right :)


Thanks in advance

Martin

Accepted Solution

All Replies

  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Comment Fourth Anniversary

    Hello,

    How much subnets is on each sites?

    If is 1+1 setup the one site to site VPN with dynamic peer. Subnets are each other visible.

    see: https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015559&lang=EN

    If is 2, setup the VTI

    https://support.zyxel.eu/hc/en-us/articles/360000707399-How-can-I-configure-IPSec-site-to-site-VPN-by-using-VTI-on-the-USG-

    and corresponding policy routes.

    If is more than 2 use also VTI and for routing between branches OSPF

    VTI tunel is backbone area 0. Other araes as required. Subnets in one area are each other visible.

    Note: OSPF over VTI is supported from 4.32 firmware. On branches must not be the same subnets.

  • MartinD
    MartinD Posts: 3  Freshman Member
    First Comment

    Thank you to both for your answers. I only have one subnet in either end (192.168.100.0 and 192.168.1.0 respectively) VPN tunnel is working, -used the quick guide to achieve this.

    @zyman2008 I will try the above and revert with the result Monday. Thanks for the detailed guidance.

  • MartinD
    MartinD Posts: 3  Freshman Member
    First Comment
    edited February 2020

    Hi @zyman2008, you are a legend, this seems to work as intended! The only thing I'm struggling with right now is that when the two policy routes are enabled at site 1 (AU), then I am no longer able to access the local subnet at Site2 (DK). If I disabled them, then I can access the subnet at site2 from Site1 again.

    Update: I have added an additional subnet for Site2 under object - address/geo IP and then created an additional policy route for this object with next hop pointing to the VPN tunnel. Similar to the policy route for the DK subnet. That did the trick.

    Thanks for your help!

  • zyman2008
    zyman2008 Posts: 222  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @MartinD,

    Sorry I missing the 2nd policy route rule for Site1 to Site 2.

    It's great to know you got the point. ?

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    yep as per dejmal69 mentioned .. use VTI tunnels and OSFP if needed .very simple to set up.


    Warwick

    Hong Kong

Security Highlight