valerio_vanni  Ally Member

Yes, I made a summary of working setup. After creation of tunnel A2B2, I could remove policy route on A firewall, LAN C was already included in vpn policy. But I still wonder if there are simpler ways. I don't understand why AB tunnel refuses traffic not belonging to its local-remote policies. This restriction would be…

Duplicate message, please delete.

I try to summarize working setup, should it be needed by someone during a search. Site A (USG Flex 50) - Policy based S2S vpn - Site B (USG Flex 200) - Policy based S2S vpn - site C (other device). Site A and site B need to go to C, SNATted to specific IP, "FakeB". On A site: no special config Between A and B, two phase 2…

VPN policy A-B has only A and B LAN1 subnets as local-remote policy. Just to see if it helped, I had set policy route on B, but it didn't work. With source VTI0 - dest A-B tunnel, last step went to WAN1, with source B-C tunnel - dest A-B tunnel it went to doll (but nothing to site A). At that point, my suspect was that A-B…

Right. In initial setup, traffic flowed from A to B but then cannot go to C with SNAT. Zyman2008 suggestion made things better. Now it goes to C with SNAT, it comes back to B but then it runs away on B WAN1 interface instead of going towards tunnel A-B.

I decided to try your way. 1.Create route-based VPN Connection rule for B - C, then you get a VTI interface to C. But you need using CLI to modify the local/remote policy from any to the address object B, C crypto map VPNConnectionName local-policy any → local-policy address-objectB remote-policy any → remote-policy…

As I said, site C is out of control and that VPN is "untouchable" on that side. Or what you suggest in point 1 would make C side "happy" only setting with CLI local and remote policies? IP of VTI would play no role, right? Does VTI likes this change from CLI? Is it supported or there's some risk that some firmware upgrade…

Some hour ago it didn't work. I had configured it without Destination NAT, a doubt came to my mind and so I asked. Then I tried to add Destination NAT and it was still not working. I did a phone call with manager of the other side of tunnel, and we found there was some issue on that side . As long as it was fixed, it began…

So if LAN1 is a /24 network, and Fake is a /32, result is similar to "typical" LAN internet access (that goes to WAN snatted to WAN address), right? And additional specific rules with specific port and specific LAN1 addresses 2 Fake subnet (/32) - specific LAN1 ip100 - protocol1 - service1 etc 3 Fake subnet (/32)- specific…

Should not these routes be implicit in tunnel policy based?

From the image you posted (so, from the point of view of that tunnel side) LAN1 can go into tunnel DMZ cannot go into tunnel Tunnel can go both into LAN1 and DMZ You have all "allow rules", but the latest. If something does not fit into rules is blocked by default rule and the event is logged. So, you could look at logs.…

Can you ping the LAN address of remote router? Do you have some other device to ping? A PC can have local firewall.

You can write a private message to him.

Now it works, I missed that setting. Thank you. Instead, I had activated 2FA in vpn tunnel properties (that, I see now, it doesn't matter).

I agree that is not effective as with automatic popup. I would make some bookmark or desktop link to authorization page. Codes have a 30 seconds lifetime, but inside app you can see the time left indicator. You could instruct users that, if they are not sure they will type code in time, they should better wait for next…