Source NAT through vpn tunnels
All Replies
-
Yes, I made a summary of working setup.
After creation of tunnel A2B2, I could remove policy route on A firewall, LAN C was already included in vpn policy.
But I still wonder if there are simpler ways.
I don't understand why AB tunnel refuses traffic not belonging to its local-remote policies. This restriction would be triggered by the parameter "policy enforcement", but that parameter is set to "no".
0 -
Hi @valerio_vanni ,
I just test on my sites to simulate the case.
I found the different setting of policy route on site B, for the return traffic from C via B to A, will impact the route result.
(1) Incoming - interface vti(B-C), src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B.
It not works. (route traces show outgoing interface is wan)
(2) Incoming - any, src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B.
It works. (route traces show outgoing interface is doll)
No sure why the different of the incoming interface of the policy route impact the route.
0 -
Where you set "incoming - any", you could set tunnel BC (phase2 bound to VTI), in my setup that is the source that leads to doll instead of WAN1.
There's something not simmetric: in my working setup, traffic goes out to VTI object, and comes back from tunnel object (trace reports "vpn id").
Notice that in my setup there's no explicit rule in that direction, it's only return traffic of policy "source: tunnel AB - A LAN - dest tunnel BC - C LAN - SNAT to fakeb.
0 -
So have you changed B to C from Policy-Based to Route-Based VTI?
0 -
Yes, that was the first step.
If, in route policy, you select a tunnel as destination, you cannot have SNAT-TO.
It was a change only on B side (C is not managed). But when you change vpn from S2S to tunnel, local and remote policy disappear from interface and are set to ANY/ANY.
zyman2008 suggestion was to change with CLI local and remote policy to original values, so BC tunnel came back as before.
And then I had VTI interface to set as next hop with SNAT to FakeB.
At that point traffic, routed by rule on B firewall, could go to C, with correct SNAT.
But came only back to B and not to A.
With an explicit rule, it went to: WAN1 with source VTI, to doll with source BC tunnel (zyman2008 recent test confirms this).
Without an explicit rule (so as return traffic from rule on B), they went to doll.
But "doll" [1] to my eyes meant "well" [2], traffic didn't go anywhere. It was not sent into any tunnel.
AB tunnel refused traffic with C source, because it was outside its local-remote policy. Just as if I had set "policy enforcement", that I had not set.
And I add that this had been only a guess, no event in logs suggested this.
Second step was to create another tunnel, A2B2, with local policy LAN A an remote policy LAN C.
[1] I'm curious what "doll" means in Zyxel terminology. The toy? Or is it an acronym?
[2]
(etimology 2)0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight