multiple site to site vpn accessing the same resources.

mike4682
mike4682 Posts: 4  Freshman Member
First Comment Second Anniversary
edited May 8 in Security

This is not the typical vpn access that i usually setup and it has me a bit stumped.

I have a site to site vpn that was setup to access a set of devices on the network. I'll try and explain this best I can. ips are just examples and there are 4 devices that need to be accessed.

VPN-1 Site A (devices vlan 100-10.10.100.1/29) vpn connection to site B (10.10.200.1/24). this is working and in use.

we have added a new vpn: VPN-2 site A (10.20.20.100.1/29) vpn to site C (10.20.20.200.1/24)

I also added individual NAT for the ip's from the 2nd vpn to send to existing device vlan ip's.

10.20.20.100.2 NAT to 10.10.100.2

10.20.20.100.3 NAT to 10.10.100.3

and so on for the 4 devices.

I can ping the 1st device but no http or https. and the rest are totally unreachable.

I'm thinking it may need a snat or maybe because the existing device ip's are on a vlan tied to the phase 2 of VPN-1.

Any insight would be greatly appreciated. feeling a little defeated over this one.

Thanks!

Accepted Solution

  • mike4682
    mike4682 Posts: 4  Freshman Member
    First Comment Second Anniversary
    edited May 8 Answer ✓

    I have an ATP500 deployed at this site.

All Replies

  • mike4682
    mike4682 Posts: 4  Freshman Member
    First Comment Second Anniversary
    edited May 8 Answer ✓

    I have an ATP500 deployed at this site.

  • PeterUK
    PeterUK Posts: 3,770  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So the devices are on vlan 100-10.10.100.1/29
    with site to site at site A
    Local 10.10.100.1/29
    Remote 10.10.200.1/24

    So at site C site to site should be
    Local 10.20.20.200.1/24
    Remote 10.10.100.1/29

    and a new site to site at A
    Local 10.10.100.1/29
    Remote 10.20.20.200.1/24

  • Zyxel_James
    Zyxel_James Posts: 718  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    I'm not quite sure about your scenario. Do you want to access SiteA 10.10.100.1/29 from SiteC 10.20.200.1/24?
    but the local/remote policy is 10.20.100.1/29 - 10.20.200.1/24 between them? 

    If so, you can achieve it by policy routing.
    SiteA 
    src: 10.10.100.1/29
    dst: 10.20.200.1/24
    Next-Hop: site-to-site VPN

    SiteB
    src: 10.20.200.1/24
    dst: 10.10.100.1/29
    Next-Hop: site-to-site VPN

     

    Or you can using route-based VTI VPN instead of policy-based VPN.

    Please refer to

    https://community.zyxel.com/en/discussion/26483/how-to-configure-site-to-site-vpn-with-multiple-subnets-between-zld-and-uos-using-route-based

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)