IPSec VTI VPN access device in overlapping subnet

Options
baba
baba Posts: 280  Master Member
First Anniversary 10 Comments Friend Collector
edited August 2023 in Security

Hi all,

i've two USG FLEX 200 connected with Point-to-Point WiFi and IPSec VPN with VTI as backup. This setup works fine, both subnets 10.50.0.0/16 and 10.60.0.0/16 can reach each other. Now I want to access 10.70.70.20/32 from 10.50.0.0/16 and 10.70.70.10/32 from 10.60.0.0/16 over the IPSev VPN (when the PtP WiFi connection is lost).

Untitled Diagram.drawio (4).png

To reach 10.70.70.20/32 from 10.50.0.0/16 while PtP WiFi connection is established i've added the following Policy Rule:
User: any
Schedule: none
Incoming: any (excluding ZyWALL)
Source: any
Destination: 10.70.70.20
DSCP Code: any
Service: any
Source port: any
Next-Hop: Gateway 10.70.70.2
DSCP Marking: preserve
SNAT: outgoing-interface

Which route i've to add to reach 10.70.70.20/32 from 10.50.0.0/16 via IPSec VPN VTI?
The following Policy Rule does not work:
User: any
Schedule: none
Incoming: any (excluding ZyWALL)
Source: any
Destination: 10.70.70.20
DSCP Code: any
Service: any
Source port: any
Next-Hop: Interface vti0
DSCP Marking: preserve
SNAT: none

Thank you!

Best,
baba

«1

All Replies

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 62  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    The direct route 10.70.70.0/X will take the first priority.

    So that policy route will not hit.

    You need to turn on advanced option "Policy Route overwrite Direct Route".

    It's powerful but with risk(mis-configuration).

    Be careful to review all the policy routes to prevent rule to take over all direct route.

    Especially the policy route with destination: any

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    edited August 2023
    Options

    @Zyxel_Joshua Do I need the "Policy Route overwrite Direct Route" option? I have no one (see next post) policy rule with destination any and some with source any. At PtP WiFi route it work as aspected without this advanced option.

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    edited August 2023
    Options

    I was wrong, I have a policy rule with destination any, to forward all WAN traffic from Site B to Site A (via PtP WiFi)

    image.png

    Route #6 isn't working (it is only disabled because its not working)
    Route #3 is the working PtP WiFi route without the "Policy Route overwrite Direct Route" option

    Is it safe to enable the "Policy Route overwrite Direct Route" option with this routes?

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options

    @Zyxel_Joshua can you help me with checking the above rules are save for  the "Policy Route overwrite Direct Route" option? As long as I can still reach the USG FLEX via the internal network, everything is fine.

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 62  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2023
    Options

    Hi @baba

    I want to confirm with you first,

    The requirement is once the WiFi link break.

    Then switch the route to IPSec VTI link to the peer, even the peer address 10.70.70.X is in direct connect subnet.

    Second, the source IP address will keep not be translate (SNAT) ?

    image.png

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    edited August 2023
    Options

    @Zyxel_Joshua you are correct in both points 👍️

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options

    @Zyxel_Joshua As far as I can see, with VTI you can only set the SNAT to none

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 62  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    https://community.zyxel.com/en/discussion/comment/56331#Comment_56331

    Wait for a few days.

    Doing the POC on my lab.

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options

    @Zyxel_Joshua keep in mind that 10.70.70.20 must be routed to the VTI VPI, but 10.70.70.10 must still be accessible via the internal interface. So only 10.70.70.20 must be routed through VTI VPN not whole 10.70.70.X

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 62  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2023
    Options

    Hi @baba ,

    Here the configuration comments for the case.

    1. Enable "Allow Asymmetrical Route" on Security Policy > Policy control page , to pass the stateful firewall checking.

    Usually, if the network setup need to use Policy Route overwrite direct route. There a triangle route issue need to take care.

    In this case, on both USG FLEX 10.70.70.X interface has triangle route packets. (the green circle)

    image.png

    2. Enable Policy Route overwrite direct route and setup policy routes.

    (This example is for USG FLEX on the left hand side)

    (1) Rule 1, 4 is the primary/backup route for 10.50.0.0/16 to 10.60.0.0/16

    (2) Rule 2,5 is the primary/backup route for USG FLEX itself to 10.60.0.0/16

    (3) Rule 3,6 is the primary/backup route for 10.50.0.0/16 to 10.70.70.20

    Note: All packets is send without SNAT

    image.png

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)