Routing internet traffic (only specific domains) through double sNatted IPSec VPN

SistemistaDaRidere · November 2024

Good morning

i need to route web traffic towards specific domain through a IKEv2 ipsec vpn between two sites with overlapping subnets.

Scenario

Site A (natted wan ip, can't change nats) calls site B (natted wan ip, CAN change nats) and establish ipsec vpn "site to site with dynamic peer scenario".

Both sites have sNAtted outbound traffic and related dNat.

All traffic to sNatted subs is routed by policy routes and works well (or at least, i can ping).

Then i tried routing some FQDN addresses (mioip.it) from site A to site B through ipsec tunnel but i can't get it to work.

Here some screens of routing policies i'm using:

Any advices?

PeterUK · November 2024

So the idea is to route mioip.it out the internet of site B Ok not as simple as it looks as many sites have other address and CDN to load as part of mioip.it so if you don't include the other FQDN which is best to be done as *.mioip.it (which include subdomains) the site may not load.

Also you need site B not to have destination mioip.it and set to any

By doing *.mioip.it you need the PC to do ipconfig /flushdns so that the PC relooks up the DNS for USG to see it

try something simple first to get it working like

FQDN

*.dyndns.com

and go to

Current IP Check

Also you must use in the clear DNS no DNS over HTTPS

PeterUK · November 2024

Also on site B you need a routeing rule to forward the return traffic to VPN tunnel

incoming any

destination address of outgoing traffic form tunnel

next hop VPN tunnel

SistemistaDaRidere · November 2024

thank you for your reply,

i'm trying this tomorrow and i'll let you know

Routing internet traffic (only specific domains) through double sNatted IPSec VPN

All Replies

Categories

Security Help Center