Remote access over VPN
Accepted Solution
-
Hi @dejmal69,
On SBG, select “Any” as Remote IP Type in IPSec policy.
On USG, set local policy of VPN tunnel as 0.0.0.0/0.
Add a policy route for traffic from SBG.
Incoming: tunnel
Source Address: SBG LAN subnet (ex: 192.168.1.0/24)
Next-Hop: USG’s wan interface
Add a NAT rule.
In this example, the PC in SBG’s LAN has IP address 192.168.1.3.
Add a security policy rule.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community1
All Replies
-
Hi @dejmal69
I am going to give to you a theoretical answer.
USG110:
- Port Forwarding to NAS IP address. (Static destination NAT)
- Source NAT. Masquerade the Internet (public) IP Address, using an authorized VPN IP address (usually an internal ip address)
- VPN configuration to SBG3500. (be sure the Source NAT address is allowed to use the VPN)
I hope it helps.
Regards
0 -
Thank You very much.I test this config.- NAT to NAS internal IP- On both sites is the same subnet.- VPN SNAT over fake subnet and DNAT fake subnet mapped to originallocal subnet.- Policy route source lan1 interface, dest remote subnet, nexthop vpn to SBG.KB Zyxel states that VPN SNAT allows you to use the same subnets without conflict. Unfortunately, it doesn't work. It's obvious that they can be on both sites, but not local / remote VPN subnets.I haven't tried to configure it like this yet:- VPN USG110 local sub the same as NAS sub -> Fake sub -> remote sub(other on SBG)- SBG route, source SNAT IP , destination NAS IP(Depend on SBG possiblities) If a route back to the VPN is needed, then itwill not work. SBG does not allow next hop to VPN. For the same reason,L2TP access from USG110 cannot be used.If you know of other configuration variants, please share.Thank You
0 -
Hi @dejmal69,
On SBG, select “Any” as Remote IP Type in IPSec policy.
On USG, set local policy of VPN tunnel as 0.0.0.0/0.
Add a policy route for traffic from SBG.
Incoming: tunnel
Source Address: SBG LAN subnet (ex: 192.168.1.0/24)
Next-Hop: USG’s wan interface
Add a NAT rule.
In this example, the PC in SBG’s LAN has IP address 192.168.1.3.
Add a security policy rule.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community1 -
Hello Zyxel_EmilyThat's great. So easy. Thank You very much.Dejmal69
0 -
what changes if i have a usg200 instead of the SBG ?
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight