Help with routing from site 1 to site 3 (site1==site2==site3)

2»

All Replies

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022

    After setting it up here by locally you don't need the concentrator

    Did all site to site with IKEv2 and doable even with dynamic IP by Site-to-site with Dynamic Peer

    site A ping from 192.168.254.134 to site C 192.168.255.52

    Site A USG60W

    WAN2 dynamic IP

    LAN1 192.168.254.129/255.255.255.128

    VPN gateway to site B 192.168.254.1

    VPN connection site-to-site

    Nailed-Up

    Gwtozywall110_local

    local policy 192.168.254.128/26

    remote policy 192.168.138.0/28


    routing rule

    Interface LAN1

    destination address 192.168.255.48/28

    next hop VPN tunnel

    Tuneltozywall110_local

    -----------------------------

    Site B Zywall 110

    OPT 192.168.254.1

    VPN gateway to site A Dynamic Address

    VPN connection Site-to-site with Dynamic Peer

    GwtoUSG60W_local

    local policy 192.168.138.0/28

    remote policy 192.168.254.128/26


    VPN gateway to site C 192.168.255.247

    VPN connection Site-to-site

    GWtoVPN300_local2

    local policy 192.168.138.0/28

    remote policy 192.168.255.48/28


    routing rule

    Tunnel TuneltoUSG60W_local

    destination address 192.168.255.48/28

    next hop VPN tunnel

    TuneltoVPN300_local2

    -----------------------------------

    Site C VPN300

    Ge3 192.168.255.247

    Ge5 192.168.255.48  /  255.255.255.240

    VPN gateway to site B 192.168.255.202

    VPN connection Site-to-site

    GWtozywall110_local2

    local policy 192.168.255.48/28

    remote policy 192.168.138.0/28

    routing rule

    Interface Ge5

    destination address 192.168.254.128/26

    next hop VPN tunnel

    GWtozywall110_local2


  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @OldFox,
    1)Kindly check the VPN  profile which connected site3 on site2 ,The local policy(phase2) shall involve site1 subnet.
    2)Another solution. Concentrator can apply in your scenario.Please find following the handbook (Started At  Page 87)
    https://download.zyxel.com/ATP700/handbook/ATP700_ZLD5.20_Handbook.pdf

    If the issue still persist,Could you share your all configuration in Private Message ? We would assist you to check.
    Thank you
    Kevin
  • OldFox
    OldFox Posts: 15  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Answer ✓
    Hi @OldFox,
    1)Kindly check the VPN  profile which connected site3 on site2 ,The local policy(phase2) shall involve site1 subnet.

    Thanks for the hint, that would probably work and I'll definitely try it out.
    Currently I've switched to PLAN-B and did the following:
    - switched from "Remote Access (Server Role)" to "Site-to-site with Dynamic Peer"
    - switched to IKEv2 with certs auth.
    - created another tunnel from site3 to site 1, so I have 3 tunnels now:

          Site1
       /         \
    Site2 --   Site3

    Thanks for your help guys!

Security Highlight