Site to Site VPN
Freshman Member
I am trying to setup a site to site VPN where:
Permanent UK Site - USG60W - 5 Static IP Addresses
Remote Site - VPN2S - Dynamic IP, it will be behind other routers, firewalls and NATs as I will be traveling constantly across the globe.
I cannot have VPN software installed on the endpoint so I need to be able to to plug an ethernet connection into the VPN2S anywhere in the world, connect my laptop to the VPN2S and instantly have a connection to the USG60W.
I'm following the site to site VPN guide but they are for static IP addresses on both sides.
Any recommendations what I need to change on the USG60W to allow for the VPN2S to connect?
Currently I am testing from a 4G data dongle.
All Replies
-
I have managed to establish a connection.
I've setup USG60W as Site-to-site to dynamic peer. I've also setup for the VPN2S remote policy to full tunnelling.
The current problem I am having however is that I do not have internet access when setup as full tunnelling.
Any thoughts?0 -
For this is necesary policy route provide. Source your vpn destination any nexthop your Wan or trunk if you have wan failover.0
-
Thanks for the reply. Where do I need to setup the policy route? On the USG60W or the VPN2S? I already have one on the USG but still no internet.dejmal69 said:For this is necesary policy route provide. Source your vpn destination any nexthop your Wan or trunk if you have wan failover.0 -
Hi @RCP
After you enabled “full tunnel” function, all of VPN2S traffic will forward to peer site via VPN tunnel.
So you can add policy route on USG60W for route traffic to Internet or Intranet of USG60W.
e.g. Source: VPN2S Subnet, Destination: any, NextHop: Auto, SNAT: outgoing-interface.
After added this rule, then traffics from VPN2S will able access to Internet & Intranet of USG60W.
You are right, additional policy route rule is required for this scenario.
Thanks for your answer.
0 -
It didn't work... these are my settings.
USG60W Settings
Routing
VPN Connection
IPSec_VPN Zone
VPN2S Zone
VPN Gateway
0 -
For VPN Gateway under gateway settings select static address and put in Primary your IP or DDNS of the other site.
For
VPN Connection set to site to site click advanced to have it Nailed up
0 -
Hi @RCP
After enabled “Full tunnel” function on VPN2S, then remote policy IP subnet will become to “Any”.
So it means you have to setup “0.0.0.0/0” subnet as local policy on your USG60W.
After configured correctly, you can make sure VPN tunnel is established successfully.
And also make sure policy route rule has configured successfully.
Then client address which coming from 192.168.50.0/24 will able access to internet via USG60W.
Note: As your VPN policy, IP subnet is the same as default IP subnet.
So you have to make sure the IP address without any overlap to your VPN2S and USG60W.
0 -
Hi,Zyxel_Stanley said:Hi @RCP
After enabled “Full tunnel” function on VPN2S, then remote policy IP subnet will become to “Any”.
So it means you have to setup “0.0.0.0/0” subnet as local policy on your USG60W.After configured correctly, you can make sure VPN tunnel is established successfully.
And also make sure policy route rule has configured successfully.
Then client address which coming from 192.168.50.0/24 will able access to internet via USG60W.
Note: As your VPN policy, IP subnet is the same as default IP subnet.
So you have to make sure the IP address without any overlap to your VPN2S and USG60W.
Success!
Now I have three problems.
Problem 1
At the moment I am testing with a single ISP of which I have 5 public IP addresses. My USG60W internet IP address ends in .242 and the VPN2S (for the purpose of setting it up) to .246. Both devices are connected to the same modem using 2 different IP addresses, as mentioned earlier, that my ISP assigned to me. My internet speed over VPN is limited to 5.1 Mbps download and 4.6 Mbps upload. I have a dedicated 500 Mbps download and 50 Mbps upload with my current ISP. Is there a reason why the speed is so limited?
Problem 2
I lose access to the VPN2S Web GUI (192.168.5.1) the moment the connection is successful and I have internet access. I can even access my USG60W (192.168.1.1) but not the VPN2S.
Problem 3
If I attach any new devices to VPN2S or reattach the connected device it will not get an IP address from the DHCP server. Once I kill the VPN connection from the USG60W the devices connected to the VPN2S will get a static IP address.
0 -
Hi @RCP
After established VPN tunnel, the performance may effect since system will encrypt/decrypt the packets. In my environment, test it by speedtest the performance can reach up to 30Mbps.
For DHCP and WebGUI access issue we still analysing. Once there is any conclusion I will update to you again.
0 -
Can the chosen encryption algorithm affect the speed?Zyxel_Stanley said:Hi @RCP
After established VPN tunnel, the performance may effect since system will encrypt/decrypt the packets. In my environment, test it by speedtest the performance can reach up to 30Mbps.
For DHCP and WebGUI access issue we still analysing. Once there is any conclusion I will update to you again.
I should be getting 30Mbps but I'm only getting 5Mbps.0
Zyxel Employee
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
