Site to Site VPN

RCP
RCP Posts: 17  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
Hi Team,

I am trying to setup a site to site VPN where:

Permanent UK Site - USG60W - 5 Static IP Addresses

Remote Site - VPN2S - Dynamic IP, it will be behind other routers, firewalls and NATs as I will be traveling constantly across the globe.

I cannot have VPN software installed on the endpoint so I need to be able to to plug an ethernet connection into the VPN2S anywhere in the world, connect my laptop to the VPN2S and instantly have a connection to the USG60W.

I'm following the site to site VPN guide but they are for static IP addresses on both sides.

Any recommendations what I need to change on the USG60W to allow for the VPN2S to connect?

Currently I am testing from a 4G data dongle.
«1

All Replies

  • RCP
    RCP Posts: 17  Freshman Member
    First Comment Friend Collector
    I have managed to establish a connection.

    I've setup USG60W as Site-to-site to dynamic peer. I've also setup for the VPN2S remote policy to full tunnelling.

    The current problem I am having however is that I do not have internet access when setup as full tunnelling.

    Any thoughts?
  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Comment First Anniversary
    For this is necesary policy route provide. Source your vpn destination any nexthop your Wan or trunk if you have wan failover.
  • RCP
    RCP Posts: 17  Freshman Member
    First Comment Friend Collector
    dejmal69 said:
    For this is necesary policy route provide. Source your vpn destination any nexthop your Wan or trunk if you have wan failover.
    Thanks for the reply. Where do I need to setup the policy route? On the USG60W or the VPN2S? I already have one on the USG but still no internet.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited June 2020

    Hi @RCP

    After you enabled “full tunnel” function, all of VPN2S traffic will forward to peer site via VPN tunnel.

     

    So you can add policy route on USG60W for route traffic to Internet or Intranet of USG60W.

    e.g. Source: VPN2S Subnet, Destination: any, NextHop: Auto, SNAT: outgoing-interface.


    After added this rule, then traffics from VPN2S will able access to Internet & Intranet of USG60W.


    @dejmal69

    You are right, additional policy route rule is required for this scenario.

    Thanks for your answer.

  • RCP
    RCP Posts: 17  Freshman Member
    First Comment Friend Collector
    edited June 2020
    It didn't work... these are my settings.

    USG60W Settings

    Routing


    VPN Connection


    IPSec_VPN Zone


    VPN2S Zone


    VPN Gateway

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 2020

    For VPN Gateway under gateway settings select static address and put in Primary your IP or DDNS of the other site.

    For VPN Connection set to site to site click advanced to have it Nailed up


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @RCP

    After enabled “Full tunnel” function on VPN2S, then remote policy IP subnet will become to “Any”.


    So it means you have to setup “0.0.0.0/0” subnet as local policy on your USG60W.

    After configured correctly, you can make sure VPN tunnel is established successfully.


    And also make sure policy route rule has configured successfully.

    Then client address which coming from 192.168.50.0/24 will able access to internet via USG60W.


    Note: As your VPN policy, IP subnet is the same as default IP subnet.

    So you have to make sure the IP address without any overlap to your VPN2S and USG60W.

  • RCP
    RCP Posts: 17  Freshman Member
    First Comment Friend Collector
    edited June 2020

    Hi @RCP

    After enabled “Full tunnel” function on VPN2S, then remote policy IP subnet will become to “Any”.


    So it means you have to setup “0.0.0.0/0” subnet as local policy on your USG60W.

    After configured correctly, you can make sure VPN tunnel is established successfully.


    And also make sure policy route rule has configured successfully.

    Then client address which coming from 192.168.50.0/24 will able access to internet via USG60W.


    Note: As your VPN policy, IP subnet is the same as default IP subnet.

    So you have to make sure the IP address without any overlap to your VPN2S and USG60W.

    Hi,

    Success!

    Now I have three problems.

    Problem 1
    At the moment I am testing with a single ISP of which I have 5 public IP addresses. My USG60W internet IP address ends in .242 and the VPN2S (for the purpose of setting it up) to .246. Both devices are connected to the same modem using 2 different IP addresses, as mentioned earlier, that my ISP assigned to me. My internet speed over VPN is limited to 5.1 Mbps download and 4.6 Mbps upload. I have a dedicated 500 Mbps download and 50 Mbps upload with my current ISP. Is there a reason why the speed is so limited?

    Problem 2
    I lose access to the VPN2S Web GUI (192.168.5.1) the moment the connection is successful and I have internet access. I can even access my USG60W (192.168.1.1) but not the VPN2S.

    Problem 3
    If I attach any new devices to VPN2S or reattach the connected device it will not get an IP address from the DHCP server. Once I kill the VPN connection from the USG60W the devices connected to the VPN2S will get a static IP address.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @RCP

    After established VPN tunnel, the performance may effect since system will encrypt/decrypt the packets. In my environment, test it by speedtest the performance can reach up to 30Mbps.

    For DHCP and WebGUI access issue we still analysing. Once there is any conclusion I will update to you again.

  • RCP
    RCP Posts: 17  Freshman Member
    First Comment Friend Collector

    Hi @RCP

    After established VPN tunnel, the performance may effect since system will encrypt/decrypt the packets. In my environment, test it by speedtest the performance can reach up to 30Mbps.

    For DHCP and WebGUI access issue we still analysing. Once there is any conclusion I will update to you again.

    Can the chosen encryption algorithm affect the speed?

    I should be getting 30Mbps but I'm only getting 5Mbps.

Security Highlight