VPN client connected to site 1 need to have acces also to the subnet on site 2.
Jarno_Smits
Posts: 23 Freshman Member
in Security
Good morning, hopefully i have explained it correct.
But the question is how do i configure the route that if a vpn client connected to
site 1 that this client can also acces the subnet on site 2 (site 1 and 2 are connected with a site-to site VPN)
see the network setup below:
I did some tests with creating routes on site 1 but i'm not able to get this to work.
But the question is how do i configure the route that if a vpn client connected to
site 1 that this client can also acces the subnet on site 2 (site 1 and 2 are connected with a site-to site VPN)
see the network setup below:
I did some tests with creating routes on site 1 but i'm not able to get this to work.
0
Accepted Solution
-
Here is the topology and configuration for your reference.Configuration- Site AIKEv2 VPN settings
Policy RouteIncoming: TunnelPlease select one member: IKEv2 tunnelSource: anyDestination: Subnet of Site B (192.168.10.0/24)Next-Hop: site to site VPN tunnel
Configuration- Site BPolicy RouteSource: Subnet of Site B (192.168.10.0/24)Destination: Subnet of IKEv2 VPN clients (192.168.33.0/24)Next-Hop: site to site VPN tunnel
Test Result
IKEv2 VPN client is connected to Site A and gets IP address 192.168.33.1.IKEv2 VPN client: 192.168.33.1Laptop at site B: 192.168.10.33192.168.33.1 ping 192.168.10.33 successfully.0
All Replies
-
You also need to create policy route on site 2. Just follow the guide in these posts.0
-
Good moring Jasailafan,
Sorry for my delayed answer, I added the rules as descriped in the given documents, but still no connetions from the VPN client connected to site 1 to the site 2 subnet.
I also searced the internet and more people having the same issue, also when adding the rules as descriped.
Could be the problem in my situation the subnets i am using?
The subnet from site 1 is 192.168.1.0/24 and from site 2 it is 192.168.2.0/24 this range is also configured in the VPN settings from the local and remote IP range from the VPN.
The IP adress what the VPN clients can use is 192.168.31.1 till 192.168.31.9 but this range I also configured in the route as discriped in the documents.
I also changed the the IP range from site 1 to 192.168.1/23 and from site 2 to 192.168.2./23 but still no success.0 -
What is the type of your vpn client? Is it SSL vpn client or IPSEC vpn client or L2TP vpn client?Can you post the policy route which is configured on each site?0
-
the client vpn connection is a ipsec IKEv2 connection.
below some screenshots from the policy routes and screenshots from the site to site vpn connection from site 1 and site 2:
Site 1(usg210) Policy route:
VPN client setup at site1 (usg210):
Site1 to site2 vpn settings on the USG210 (site1)
Site1 to site2 vpn settings on the USG210 (site1)
Site1 to site2 vpn settings on the USG60 (site2)
Policy route on the USG60 (site2)
0 -
I am running into a similar issue and have tried the same fixes, but no luck. Adding to this to keep an eye on a solution.0
-
Here is the topology and configuration for your reference.Configuration- Site AIKEv2 VPN settings
Policy RouteIncoming: TunnelPlease select one member: IKEv2 tunnelSource: anyDestination: Subnet of Site B (192.168.10.0/24)Next-Hop: site to site VPN tunnel
Configuration- Site BPolicy RouteSource: Subnet of Site B (192.168.10.0/24)Destination: Subnet of IKEv2 VPN clients (192.168.33.0/24)Next-Hop: site to site VPN tunnel
Test Result
IKEv2 VPN client is connected to Site A and gets IP address 192.168.33.1.IKEv2 VPN client: 192.168.33.1Laptop at site B: 192.168.10.33192.168.33.1 ping 192.168.10.33 successfully.0 -
Hi Emily,
your solution fixed the issue.
the local policy of the vpn client, needed to be changed to ( HOST:0.0.0.0 ) instead of subnet 192.168.1.0/24.
I also had a wrong setting in the Policy route of site B.
Now when i have a vpn client connection to site 1, i'm able to acces the subnet of site 2 also.
Only thing is now, when enabeling the vpn on my smartphone, i don't have internet access anymore, I only can access all clients on both sites 1 and 2.
When changing back the local policy from host 0.0.0.0 to subnet 192.168.1.0/24 then i have internet access back on my smarthone when the VPN is enabled, only then i don't have acces to the subnet of site 2 anymore.
0 -
Everyting is working now, I changed the VPN client settings to the certificate authorisation instead of only a key, and now it worsk correct now i'm able when opening a VPN to site 1, to access the clients on site 2, and i have also internet access on the VPN client when the VPN is enabled.
Everybody thanks for the fast answers on this forum.
kind regard,
Jarno1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight