VPN tunnel between two USG20's with pass-through internet access for some public IP's
Hi community,
We are connecting two site, #1 (in Australia) and #2 (in Denmark) using two USG20-VPN devices, one in each end. We need to connect the two offices in a way that site #1 is integrated with site #2 and so #1 can access the internet using the public ip address of #2 in some circumstances. Also, the Australian site should NOT be visible to LAN devices on the Danish LAN, but the Danish SHOULD be visible to the Australian site. Site #1 is on a dynamic public IP. Site #2 is on fixed public IP.
Specifically, we are trying to achieve the following objectives:
All LAN ip addresses in site 2 must be visible and accessible to LAN ip addresses from site 1 (must have feature)
AND
All LAN ip addresses in site 1 should NOT be visible or accessible to LAN ip addresses from site 2 (Would like to have feature)
AND
All internet traffic originating from Site 1 bound for Danish public IP addresses must be routed through site 2 and get the WAN ip of site 2 (preferred feature)
OR
All internet traffic from site 1 must get the public IP address of the site 2 WAN interface regardless of destination (secondary option if the preferred feature cannot be achieved)
Is someone able to link provide the configuration steps to achieve the above, or link to an article that describes the steps? We have not been able to find them. We have managed to establish a VPN tunnel but struggle to get any traffic bound for the internet routed through site #2 and out on the internet. Rather than explaining what we must have done wrong, i'm hopeful that someone can inform us how to do it right :)
Thanks in advance
Martin
Accepted Solution
-
Hi @MartinD,
All you need can achieve.
The steps is built IPSec VPN -> Policy route -> firewall rules.
note: use expert mode GUI instead of Easy mode
Site2 USG settings:
- Create IPSec VPN rules(server role)
- On GUI, click Quick Setup and select VPN setup to launch VPN wizard
- In first step, select VPN settings. Then, Express and then you can modify the rule name (ex. ToAU) and select Remote Access (Server Role)
- Next, select the wan interface, a pre-share key for VPN, Local policy (0.0.0.0/0.0.0.0)
2. Create Policy route for Site1 to Internet or Specific destination (All internet traffic originating from Site 1 bound for Danish public IP addresses must be routed through site 2 and get the WAN ip of site 2 OR All internet traffic from site 1 must get the public IP address of the site 2 WAN interface regardless of destination)
- First you need to create address objects for Site1 LAN network address
- On GUI, go to Object -> Address/Geo IP -> Address, click add and then give a name of the object and select address type as SUBNET, then give the network address
- On GUI, go to Network -> Routing -> Policy Route, click add to create a policy route.
- Select the address object created for Site1 LAN in the above step as source address
- In Next-Hop section, select type: Interface, and select the Site2 wan interface
- Then in Address Translation section, make sure the Source Network Address Translation settings is set as "outgoing-interface" (This is the key to achieve Site1 to access Internet as Site2 WAN interface public IP)
3.Create firewall rule to block Site2 LAN to access Site1 LAN (All LAN ip addresses in site 1 should NOT be visible or accessible to LAN ip addresses from site 2)
- On GUI, go to Security Policy -> Policy Control -> Policy, click add to create a firewall rule
- Give the rule a Name, then To: select "IPSec_VPN", Source: select "LAN1_SUBNET" or any, Destination: select the Site1 LAN address object, Action: set as Deny.
Site1 USG settings:
- Create IPSec VPN rules(client role)
- On GUI, click Quick Setup and select VPN setup to launch VPN wizard
- In first step, select VPN settings. Then, Express and then you can modify the rule name (ex. ToDK) and select Remote Access (Client Role)
- Next, select the wan interface, Secure Gateway is wan public IP of Site 2, pre-share key for VPN must same as the Site 2 VPN settings, Local policy: Site 1 LAN network address(ex.192.168.2.0/255.255.255.0), Remote Policy: 0.0.0.0/0.0.0.0
2. Create Policy route for Site1 to Internet or Specific destination
Case 1: All internet traffic originating from Site 1 bound for Danish public IP addresses must be routed through site 2 and get the WAN ip of site 2
- You need create a Country address object (For GeoIP database update need to by a Content Filter license). On GUI, go to Object -> Address/Geo IP -> Address, click add and then give a name of the object and select address type as GEOGRAPHY, then select the region to Denmark
- Create 2 Policy route rules,
- the first rule is for destination to Denmark public IP address, will go through VPN to Site2.
- Destination Address: Select the GeoIP address object created for DK
- In Next-Hop section, select type: VPN Tunnel, select the VPN tunnel to Site2
- the first rule is for destination to Denmark public IP address, will go through VPN to Site2.
b. The second rule is for the rest destination to Internet
i. Next-Hop section, select type: Interface, and select the Site1 wan interface
ii. In Address Translation section, make sure the Source Network Address Translation settings is set as "outgoing-interface"
Case 2: All internet traffic from site 1 must get the public IP address of the site 2 WAN interface regardless of destination
In this case, the auto VPN route already there, in the VPN settings. So that you don't need to add any policy route for it. And it'll work.
Hope this help, FYI.
6 - Create IPSec VPN rules(server role)
All Replies
-
Hello,
How much subnets is on each sites?
If is 1+1 setup the one site to site VPN with dynamic peer. Subnets are each other visible.
see: https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015559&lang=EN
If is 2, setup the VTI
and corresponding policy routes.
If is more than 2 use also VTI and for routing between branches OSPF
VTI tunel is backbone area 0. Other araes as required. Subnets in one area are each other visible.
Note: OSPF over VTI is supported from 4.32 firmware. On branches must not be the same subnets.
1 -
Hi @MartinD,
All you need can achieve.
The steps is built IPSec VPN -> Policy route -> firewall rules.
note: use expert mode GUI instead of Easy mode
Site2 USG settings:
- Create IPSec VPN rules(server role)
- On GUI, click Quick Setup and select VPN setup to launch VPN wizard
- In first step, select VPN settings. Then, Express and then you can modify the rule name (ex. ToAU) and select Remote Access (Server Role)
- Next, select the wan interface, a pre-share key for VPN, Local policy (0.0.0.0/0.0.0.0)
2. Create Policy route for Site1 to Internet or Specific destination (All internet traffic originating from Site 1 bound for Danish public IP addresses must be routed through site 2 and get the WAN ip of site 2 OR All internet traffic from site 1 must get the public IP address of the site 2 WAN interface regardless of destination)
- First you need to create address objects for Site1 LAN network address
- On GUI, go to Object -> Address/Geo IP -> Address, click add and then give a name of the object and select address type as SUBNET, then give the network address
- On GUI, go to Network -> Routing -> Policy Route, click add to create a policy route.
- Select the address object created for Site1 LAN in the above step as source address
- In Next-Hop section, select type: Interface, and select the Site2 wan interface
- Then in Address Translation section, make sure the Source Network Address Translation settings is set as "outgoing-interface" (This is the key to achieve Site1 to access Internet as Site2 WAN interface public IP)
3.Create firewall rule to block Site2 LAN to access Site1 LAN (All LAN ip addresses in site 1 should NOT be visible or accessible to LAN ip addresses from site 2)
- On GUI, go to Security Policy -> Policy Control -> Policy, click add to create a firewall rule
- Give the rule a Name, then To: select "IPSec_VPN", Source: select "LAN1_SUBNET" or any, Destination: select the Site1 LAN address object, Action: set as Deny.
Site1 USG settings:
- Create IPSec VPN rules(client role)
- On GUI, click Quick Setup and select VPN setup to launch VPN wizard
- In first step, select VPN settings. Then, Express and then you can modify the rule name (ex. ToDK) and select Remote Access (Client Role)
- Next, select the wan interface, Secure Gateway is wan public IP of Site 2, pre-share key for VPN must same as the Site 2 VPN settings, Local policy: Site 1 LAN network address(ex.192.168.2.0/255.255.255.0), Remote Policy: 0.0.0.0/0.0.0.0
2. Create Policy route for Site1 to Internet or Specific destination
Case 1: All internet traffic originating from Site 1 bound for Danish public IP addresses must be routed through site 2 and get the WAN ip of site 2
- You need create a Country address object (For GeoIP database update need to by a Content Filter license). On GUI, go to Object -> Address/Geo IP -> Address, click add and then give a name of the object and select address type as GEOGRAPHY, then select the region to Denmark
- Create 2 Policy route rules,
- the first rule is for destination to Denmark public IP address, will go through VPN to Site2.
- Destination Address: Select the GeoIP address object created for DK
- In Next-Hop section, select type: VPN Tunnel, select the VPN tunnel to Site2
- the first rule is for destination to Denmark public IP address, will go through VPN to Site2.
b. The second rule is for the rest destination to Internet
i. Next-Hop section, select type: Interface, and select the Site1 wan interface
ii. In Address Translation section, make sure the Source Network Address Translation settings is set as "outgoing-interface"
Case 2: All internet traffic from site 1 must get the public IP address of the site 2 WAN interface regardless of destination
In this case, the auto VPN route already there, in the VPN settings. So that you don't need to add any policy route for it. And it'll work.
Hope this help, FYI.
6 - Create IPSec VPN rules(server role)
-
Thank you to both for your answers. I only have one subnet in either end (192.168.100.0 and 192.168.1.0 respectively) VPN tunnel is working, -used the quick guide to achieve this.
@zyman2008 I will try the above and revert with the result Monday. Thanks for the detailed guidance.
0 -
Hi @zyman2008, you are a legend, this seems to work as intended! The only thing I'm struggling with right now is that when the two policy routes are enabled at site 1 (AU), then I am no longer able to access the local subnet at Site2 (DK). If I disabled them, then I can access the subnet at site2 from Site1 again.
Update: I have added an additional subnet for Site2 under object - address/geo IP and then created an additional policy route for this object with next hop pointing to the VPN tunnel. Similar to the policy route for the DK subnet. That did the trick.
Thanks for your help!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight