S2S VPNs star topology
Hello!
I am thinking of setup VPN connection betwee main office B and branches A and C basing on site to site VPN ikev1 or ikev2.
If I use VPN wizard on ATP500 there is to be defined Local_IP and Remote_IP for each tunnel. Would it be enough or I have to put some static routes like:
desired network available via next hop VPN tunnel?
Here is the basic topology
All Replies
-
Just set up two IPSec tunnels via Wizard and can ping .1 IP from the sites. I check the setting created by Wizard and did not find any Policy route or Static routes. How it can be ? The sites have different networks assigned but it routes somehow
0 -
Hi @bav,
There're two type of IPSec S2S VPN: Policy Based and Route Based
The setup via wizard is policy based. And the VPN routing is depends on local/remote subnets settings.
In your case, the network address of each site is
Site A: 192.168.1.0/24
Site B: 192.168.2.0/24
Site C: 192.168.3.0/24
Site A, B, C network is subnet of an aggregated network 192.168.0.0/22
You can setup the local, remote policy of VPN tunnel to
Tunnel Site A to B: local-192.168.1.0/24, remote-192.168.0.0/22
The route will cover : 192.168.1.0/24 <> 192.168.0-3.0/24 (which include Site B & C)
Tunnel Site B to A: local-192.168.0.0/22, remote-192.168.1.0/24
The route will cover: 192.168.0-3/24 (which include Site B & C) <> 192.168.1.0/24
Tunnel Site B to C: local-192.168.0.0/22, remote-192.168.3.0/24
The route will cover: 192.168.0-3.0/24 (which include Site A & B) <> 192.168.3.0/24
Tunnel Site C to B: local-192.168.3.0/24, remote-192.168.0.0/22
The route will cover: 192.168.3.0/24 <> 192.168.0-3.0/24 (which include Site A & Site B)
0 -
Hi @zyman2008!
Thanks for reply!
Looks like you explain how to make network connectivity from A to C(via B) and vise versa? It is good to know, but currently I did setup A-B; B-C tunnels via wizard and I do not see any Policy route in the settings of ATP. But it works, ping goes through. How it can be? That is the first question.
And the second one is: If i decide to make B as hub and A and C as spokes, can I use VPN concentrator menu(Configuration→VPN→IPSEC→Concentrator) to set hub and spoke networking?
0 -
Hi @bav,
Hi @bav,
The answer of the first question could be found in the packet flow explorer.
Go to MAINTENANCE > Packet Flow Explorer. It's show up the routing priority of zyxel firewall.
Once you setup local/remote policy on wizard. The route rule is set into the S2S VPN route table.
The second answer, Yes.
You can setup VPN concentrator on hub Site B. And add policy route on Site A & C.
But that's not what I preferred. If the IP address space is well planned with in an aggregated network.
The VPN concentrator rule is not visible in the packet flow explorer that's inconvenient for route trouble shooting.
0 -
Thanks!
The networks I used here just for example. Actual topology is HQ and 3 Branches.
So, I am going to setup hub and spoke, where HQ is a hub and all traffic goes via HQ.
Is there any guide about Concentrator(hub-and-spoke) configuration? Currently, I see there
that screen from HQ ATP500. There are already 3 tunnels to branches. So, if I create VPN concentrator will it give me ready to use routing between all branches via HQ or I need to add some routes (static)?
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight