How to forward traffic to branch site server after client established VPN tunnel

Zyxel_Stanley
Zyxel_Stanley Posts: 814  Zyxel Employee
edited June 2019 in Security

Scenario: Site#A and SiteB are established site to site VPN tunnel. How to forward traffic to Site#B after client connected VPN tunnel to Site#A.

VPN client can be L2TP/SSL VPN/ IPSec VPN. Client will get the IP address which assigned by Site#A router.

In this scenario, VPN client got IP 10.10.10.1 after established L2TP VPN tunnel to Site#A.

You can add policy route rule on both of routers to forward traffic.

(1) On Site#A (Rule for traffic to Site#B)

(2) On Site#B (Rule for traffic back to Client on Site#A)

After added these rules on both of firewalls, then traffic is able forward to server without any problem.

Comments

  • Brano
    Brano Posts: 4
    Hi Stanley
    hope you're doing well
    I'm in very same scenario as described in your schema and I'm trying to make available Site B LAN subnet for VPN IPsec Clients. I added routing policy rules, but I still cannot reach Site B IPs.
    Site A ZyWall 110
    Site B USG Flex 200

    VPN SitetoSite works ok


    IPSEC VPN for clients connecting to Site A (10.10.10.0/24) work ok, clients can reach Local LAN. VPC Client use IP 10.11.11.10 - 100



    Site A Routing Policy Rule

    Site B Routing Policy Rule 

    I cannot get the routing to Site B work over VPN for the VPC clients. Any suggestion how this can be troubleshoot? 
    Rgds, Brano
  • Zyxel_Tobias
    Zyxel_Tobias Posts: 123  Zyxel Employee
    Hi @Brano

    Can you try if it works following this guide?

    https://support.zyxel.eu/hc/en-us/articles/360010904260-IPSec-VPN-Client-Routing-traffic-over-site-to-site-tunnel

    Make sure the 10.11.11. Subnet is NOT configured on Site B (LAN or any other).

    Kind Regards,

    Tobias


  • Brano
    Brano Posts: 4
    Thank you for your post Tobias.
    I added route policies suggested by the guide, but packets are not still reaching Site B LAN. 

    Site A Routes
    WIZ_Site2Site_Kop  ---- Site2site VPN tunnel
    WIZ_Site2Site_Kop_Remote  ---- Site B LAN 10.10.20.0/24
    VPN IP Range ---- VPN Clients IP range 10.11.11.1-200 it does not conflict with any existing subnet in my network 
    Dyn_Clt_SELF ---- Client IPsec VPN 


    Site B Routes
    WIZ_Site2Site_Tur ---- Site2site VPN tunnel
    WIZ_Site2Site_Tur_LOCAL ---- Site B LAN 10.10.20.0/24
    VPN_Client ---- VPN Clients IP range 10.11.11.1-200


    Well, I'm struggling to understand what may be preventing packet to flow there. Packet  capture and inspection is not my strong suit.

    Any advice is apprciated.

    rgds, Brano
  • Ian31
    Ian31 Posts: 143  Ally Member
    Brano,
    Here the problem, 10.10.20.0/24 is not included in the local policy for client.
    So that the traffic from client to 10.10.20.0/24 will not go into the VPN tunnel.

    You can change the local policy to subnet 10.10.0.0/19 (10.10.0.0/24 ~ 10.10.31.0/24), which include both 10.10.10.0/24 and 10.10.20.0/24.

Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!

Community News