VPN routing between three sites with new H series and legacy Flex and third party firewall
Freshman Member
Hi!
Scenario, where we have site-to-site tunnel between site 1 (USG Flex 200) and 3rd party site. Now we would want to have vpn-connection from new site 2 (USG Flex 50H) to 3rd party site via site 1. With two USG FLEX firewall's this routing is possible with Policy routes. I have tried similar setup, so that between site 1 and 2 there is VTI and traffic is okay between sites 1 and 2, but I cannot get it to work from site 2 to 3rd party site via site 1. Is it possible to get routing work between three sites, if sites 1 and 2 have route-based vpn and site 1 and 3rd party has policy-based vpn? At least for now, I am not able to change site1 - 3rd party site vpn to route-based.
Best Regards
All Replies
-
I take it all three sites have different LAN subnets? Such that we can say
site 1 subnet 1
site 2 subnet 2
3rd party site subnet 3So with the VTI on site 2 a routing rule at the top of the list with
incoming LAN subnet 2
Destination Address subnet 3
next hop VTI
SNAT nonethen on site 1 routing rule at the top of the list with
incoming VTI
Source Address subnet 2
Destination Address subnet 3
next hop VPN tunnel to site 3With the Policy Control rules to allow the following this gets you from subnet 2 to subnet 3 then the problem is this 3rd party site needs to route the Destination subnet 2 down the VPN tunnel.
when thats done you then might need a static route on site 1 with
subnet 2
interface VTI
0
Guru Member
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 202 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.3K Security
- 515 USG FLEX H Series
- 328 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 49 Wireless Ideas
- 6.9K Consumer Product
- 288 Service & License
- 458 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 85 About Community
- 97 Security Highlight
