Remote vpn ipsec, access Lan behind site to site Firewall
Freshman Member
I have a remote IKEv2 ipsec dynamic access to firewall 1 and want to access lan behind firewall 2 that is setup for site to site between Firewall 1 Firewall 2.
How should i set up routing and security policy to get it to work?
Firewall 1, USG Flex 100 Lan1 ip 192.168.101.1
Firewall 2, USG Flex 200 Lan1 ip 192.168.100.1
Tony
All Replies
-
Might help to get a layout you can use my site to draw out the network you have.
Network Testing Tools | Port Scanner, VPN Tests & DNS Lookup
but from what I can tell you have a site to site between Firewall 1 Firewall 2 with the given local and remote policy so you will need.
on firewall 1
incoming Tunnel and the remote IKEv2
Destination address 192.168.100.0/24
next hop VPN Tunnel and the Tunnel to firewall 2
on firewall 2
incoming LAN of 192.168.100.0/24
Destination address the remote IKEv2 IP pool
next hop VPN Tunnel and the Tunnel to firewall 1
then
security policy to allow the traffic
0 -
Hi @ITB_Tony,
To allow your remote IKEv2 VPN clients on Firewall 1 to access the LAN behind Firewall 2, you can treat Firewall 1 as a hub and route the traffic from the remote VPN clients into the existing Site-to-Site VPN tunnel.
Please check the following settings:
- VPN Phase 2
- If you are using a policy-based VPN, both firewalls need to include the Remote VPN Client IP pool in the Phase 2 settings.
- On Firewall 1, add the VPN client IP pool to the Local Policy in addition to 192.168.101.0/24.
- On Firewall 2, add the VPN client IP pool to the Remote Policy.
- If you are using a policy-based VPN, both firewalls need to include the Remote VPN Client IP pool in the Phase 2 settings.
- Policy Routes
- To define how traffic is forwarded between the two VPN tunnels, please configure
- On Firewall 1
- Incoming: Remote Access VPN tunnel
- Source: VPN Client IP Pool
- Destination: 192.168.100.0/24
- Next-Hop: Site-to-Site VPN tunnel (to Firewall 2)
- On Firewall 2
- Incoming: LAN
- Source: 192.168.100.0/24
- Destination: VPN Client IP Pool
- Next-Hop: Site-to-Site VPN tunnel (to Firewall 1)
- On Firewall 1
- To define how traffic is forwarded between the two VPN tunnels, please configure
- Security Policies
- Make sure the firewall rules allow this traffic.
- On Firewall 1 - Allow traffic from IPSec_VPN (Remote VPN clients) to IPSec_VPN (Site-to-Site), with destination 192.168.100.0/24.
- On Firewall 2 - Allow traffic from IPSec_VPN (VPN client pool) to LAN (192.168.100.0/24).
- Make sure the firewall rules allow this traffic.
Zyxel Tina
0 - VPN Phase 2
Guru Member
Zyxel Employee
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 222 Nebula Ideas
- 129 Nebula Status and Incidents
- 6.5K Security
- 619 USG FLEX H Series
- 349 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.4K Wireless
- 53 Wireless Ideas
- 7K Consumer Product
- 298 Service & License
- 486 News and Release
- 92 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 88 About Community
- 105 Security Highlight
