S2S VPNs star topology

bav
bav Posts: 20  Freshman Member
First Comment

Hello!

I am thinking of setup VPN connection betwee main office B and branches A and C basing on site to site VPN ikev1 or ikev2.

If I use VPN wizard on ATP500 there is to be defined Local_IP and Remote_IP for each tunnel. Would it be enough or I have to put some static routes like:

desired network available via next hop VPN tunnel?

Here is the basic topology

All Replies

  • bav
    bav Posts: 20  Freshman Member
    First Comment

    Just set up two IPSec tunnels via Wizard and can ping .1 IP from the sites. I check the setting created by Wizard and did not find any Policy route or Static routes. How it can be ? The sites have different networks assigned but it routes somehow

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @bav,

    There're two type of IPSec S2S VPN: Policy Based and Route Based

    The setup via wizard is policy based. And the VPN routing is depends on local/remote subnets settings.

    In your case, the network address of each site is

    Site A: 192.168.1.0/24

    Site B: 192.168.2.0/24

    Site C: 192.168.3.0/24

    Site A, B, C network is subnet of an aggregated network 192.168.0.0/22

    You can setup the local, remote policy of VPN tunnel to

    Tunnel Site A to B: local-192.168.1.0/24, remote-192.168.0.0/22

    The route will cover : 192.168.1.0/24 <> 192.168.0-3.0/24 (which include Site B & C)

    Tunnel Site B to A: local-192.168.0.0/22, remote-192.168.1.0/24

    The route will cover: 192.168.0-3/24 (which include Site B & C) <> 192.168.1.0/24

    Tunnel Site B to C: local-192.168.0.0/22, remote-192.168.3.0/24

    The route will cover: 192.168.0-3.0/24 (which include Site A & B) <> 192.168.3.0/24

    Tunnel Site C to B: local-192.168.3.0/24, remote-192.168.0.0/22

    The route will cover: 192.168.3.0/24 <> 192.168.0-3.0/24 (which include Site A & Site B)

  • bav
    bav Posts: 20  Freshman Member
    First Comment

    Hi @zyman2008!

    Thanks for reply!

    Looks like you explain how to make network connectivity from A to C(via B) and vise versa? It is good to know, but currently I did setup A-B; B-C tunnels via wizard and I do not see any Policy route in the settings of ATP. But it works, ping goes through. How it can be? That is the first question.

    And the second one is: If i decide to make B as hub and A and C as spokes, can I use VPN concentrator menu(Configuration→VPN→IPSEC→Concentrator) to set hub and spoke networking?

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @bav,

    Hi @bav,

    The answer of the first question could be found in the packet flow explorer.

    Go to MAINTENANCE > Packet Flow Explorer. It's show up the routing priority of zyxel firewall.

    Once you setup local/remote policy on wizard. The route rule is set into the S2S VPN route table.

    The second answer, Yes.

    You can setup VPN concentrator on hub Site B. And add policy route on Site A & C.

    But that's not what I preferred. If the IP address space is well planned with in an aggregated network.

    The VPN concentrator rule is not visible in the packet flow explorer that's inconvenient for route trouble shooting.

  • bav
    bav Posts: 20  Freshman Member
    First Comment

    Thanks!

    The networks I used here just for example. Actual topology is HQ and 3 Branches.

    So, I am going to setup hub and spoke, where HQ is a hub and all traffic goes via HQ.

    Is there any guide about Concentrator(hub-and-spoke) configuration? Currently, I see there

    that screen from HQ ATP500. There are already 3 tunnels to branches. So, if I create VPN concentrator will it give me ready to use routing between all branches via HQ or I need to add some routes (static)?

Security Highlight