Overlap IP for VPN solution.

kiattikornkiattikorn Member, SecuReporterBeta Posts: 10  Freshman Member
edited November 2, 2017 6:50PM in Ideas
Dear Nebula Team,

VPN Solution.
HQ > USG
LAN IP: 192.168.0.0/24

BR1 > NSG
LAN IP: 192.168.1.0/24

BR2 > NSG
LAN IP: 192.168.2.0/24
:
:
BRn > NSG
LAN IP: 192.168.n.0/24

When we design VPN solution with hub and spoke by using HQ to distribute traffic to each branch.
for example BR1 can communicate with BR2  by using same VPN tunnel that connected to HQ.
In USG we can make overlap subnet (192.168.0.0/16) for routing all traffic in this subnet to HQ first, then passthrough BR2.
For NSG configuration I can't add private subnet overlap with local IP.



Please help to improve this.
Thank you.

Comments

  • Nebula_IreneNebula_Irene Zyxel Official Agent Posts: 140  mod
    edited November 3, 2017 2:18PM
    Hi @kiattikorn

    I am glad to see you here!

    If you want to set the same Private subnet in each non-Nebula VPN peer, you should select "This Site" in Availability dropdown list, or it has routing problem on site. ;)
    Please remember your Private subnet cannot be duplicated NSG LAN IP in this site.

    There is a link for you to understand the difference between All Network and This Site for Availability configuration on NCC.
    https://businessforum.zyxel.com/discussion/715/what-is-the-difference-between-all-network-and-this-site-for-availability-configuration/p1?new=1



  • kiattikornkiattikorn Member, SecuReporterBeta Posts: 10  Freshman Member
    Hi Irene,

    Thank you for your information but it's different solution that I mention before.

    Here is VPN solution that we design.
    Requirement is Client A from site A need to communicate with other branch such as branch B and n by using same tunnel that we connected to Non-Nebula device.
    We can't create tunnel between branch to branch because all of NSG are behind NAT.
    The question is how can we configure NSG to support this solution.

  • Nebula_IreneNebula_Irene Zyxel Official Agent Posts: 140  mod
    Hi @kiattikorn

    At this moment, when all NSGs under one organization, and you enable Site-to-Site VPN, all branches (Site A/B/C..) can communicate with each other through Nebula-to-Nebula tunnel (traffic will go through orange line).
    Then according to your scenario, I consider your scenario is communication between branches should be through HQ (red line in your reply), not direct path, but overlapping subnet IP cannot be configured on NCC due to routing problem, and we will have the enhancement for the flexibility of VPN function in future. :)






Sign In to comment.