Source NAT through vpn tunnels
All Replies
-
Yes, I made a summary of working setup.
After creation of tunnel A2B2, I could remove policy route on A firewall, LAN C was already included in vpn policy.
But I still wonder if there are simpler ways.
I don't understand why AB tunnel refuses traffic not belonging to its local-remote policies. This restriction would be triggered by the parameter "policy enforcement", but that parameter is set to "no".
0 -
Hi @valerio_vanni ,
I just test on my sites to simulate the case.
I found the different setting of policy route on site B, for the return traffic from C via B to A, will impact the route result.
(1) Incoming - interface vti(B-C), src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B.
It not works. (route traces show outgoing interface is wan)
(2) Incoming - any, src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B.
It works. (route traces show outgoing interface is doll)
No sure why the different of the incoming interface of the policy route impact the route.
0 -
Where you set "incoming - any", you could set tunnel BC (phase2 bound to VTI), in my setup that is the source that leads to doll instead of WAN1.
There's something not simmetric: in my working setup, traffic goes out to VTI object, and comes back from tunnel object (trace reports "vpn id").
Notice that in my setup there's no explicit rule in that direction, it's only return traffic of policy "source: tunnel AB - A LAN - dest tunnel BC - C LAN - SNAT to fakeb.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight