Policy routing for L2TP VPN
Freshman Member
Hello everyone,
In our office we have two site-to-site tunnels with external clients. Configured with SNAT and routing rules. We can access it perfectly from our office subnet, but we need to be able to access it from our users' connections through the L2TP VPN. I explain the assembled infrastructure in the diagram.
For routing access to the two site-to-site I have the following configuration:
I am trying to be able to route to those two site-to-site from L2TP VPN access. I have tried many ways but I can't get there.
I have read in other posts that the USG does not allow SNAT traffic to be routed within the L2TP tunnel.
Can someone help me with this?
Thank you very much in advance.
All Replies
-
Have you enabled Inbound/Outbound traffic NAT on My office?
You might have to re-upload the layout as its hard to see along with what you want like my office to what site x and site x to office. But from what I see you want L2TP VPN to go over the site to site to each site on the right which might mean you need to do two site to site tunnels to each on the right with Inbound/Outbound traffic NAT
So I get the problem the three sites have the same subnet LAN 172.26.0.x and you need to use Inbound/Outbound traffic NAT to change to source.
One problem from what I can tell top right of the layout that your SNAT subnet should match your source subnet and destination subnet \24.
0 -
HI @PeterUK,
Thanks for your help.
I don't quite understand what you mean by enabling NAT traffic in my office.
I don't have the problem in all three places. As I explained, everything works perfectly inside my office and both of us get from place to place. The problem I have is with people who access from outside the office using L2TP VPN.
I attach the diagram of how it is configured so you can see it better.
0 -
The problem is made more complicated with the use of Inbound/Outbound traffic NAT on the site to site because you reuse of LAN subnet 172.26.0.x/24
is there a site to site setup on office?
0 -
Yes, from the office you can access two site-to-site as indicated in the diagram. Each site-to-site has a SNAT configuration.
0 -
Is the following correct due to limited info may not be correct
So the office on the left has two site to site tunnel links
on office to top right
local policy 192.168.64.0./24
remote policy 10.148.18.128/27
Inbound/Outbound traffic NAT
source NAT
source 192.168.64.0./24
destination 10.148.18.128/27
SNAT ?
destination NAT original IP ? To mapped IP 172.26.0.x/24
on office to bottom left
local policy 192.168.69.0./24
remote policy 172.27.0.0/24
Inbound/Outbound traffic NAT
source NAT
source 192.168.69.0./24
destination 172.27.0.0/24
SNAT ?
destination NAT original IP ? To mapped IP 172.26.0.x/24
with top right local/remote policy
local policy 10.148.18.128/27
remote policy 192.168.64.0./24
Inbound/Outbound traffic NAT
source NAT
source 172.26.0.x/24
destination 192.168.64.0./20
SNAT 10.148.18.128/27
destination NAT original IP 192.168.64.0./24 To mapped IP 172.26.0.x/24
with bottom left local/remote policy
local policy 172.27.0.0/24
remote policy 192.168.69.0./24
Inbound/Outbound traffic NAT
source NAT
source 172.26.0.x/24
destination 192.168.69.0./24
SNAT 172.27.0.0/24
destination NAT original IP 192.168.69.0./24 To mapped IP 172.26.0.x/24
0 -
So I have a test setup and I think you will need to add two more tunnels
on office to top right
local policy 10.2.0.0/24
remote policy 192.168.10.0./24
Inbound/Outbound traffic NAT
source NAT
source 10.2.0.0/24
destination 192.168.40.0./24
SNAT 10.20.0.0/24
destination NAT original IP 192.168.60.0./24 To mapped IP 10.2.0.0/24
on office to bottom left
local policy 10.2.0.0/24
remote policy 192.168.20.0./24
Inbound/Outbound traffic NAT
source NAT
source 10.2.0.0/24
destination 192.168.50.0./24
SNAT 10.30.0.0/24
destination NAT original IP 192.168.70.0./24 To mapped IP 10.2.0.0/24
with top right local/remote policy
local policy 192.168.10.0./24
remote policy 10.2.0.0/24
Inbound/Outbound traffic NAT
source NAT
source 172.26.0.0/24
destination 192.168.60.0./24
SNAT 192.168.30.0./24
destination NAT original IP 192.168.40.0./24 To mapped IP 172.26.0.0/24
with bottom left local/remote policy
local policy 192.168.20.0./24
remote policy 10.2.0.0/24
Inbound/Outbound traffic NAT
source NAT
source 172.26.0.0/24
destination 192.168.70.0./24
SNAT 192.168.20.0./24
destination NAT original IP 192.168.50.0./24 To mapped IP 172.26.0.0/24
Then add routeing of the VPN L2TP down the new site to site tunnel
0 -
More info on the setup your looking for on a test setup I did you just have to add more tunnels
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
