Vpn site to site

GST
GST Posts: 6
First Comment
edited April 2021 in Security

Hi we have to establish a VPN site to site whith a client where we worked for.

We are the client in VPN situation the BranchOffice

He gave US

His VPN gateway 62.97.xx.zz (for privacy I have not published it)

We ave a preshared KEY and algo for v1 and v2

Now the problem

we have to show us as 10.201.104.30

and we have to go on remote adress

10.100.9.0/24

10.100.10.0/24

10.211.12.0/24

10.210.21.0/24

10.209.21.0/24

10.209.24.0/24

In our old USG20(first version) we have built VPN one for each remote adress (we have to use less VPN only first and third one).

1)we have created VPN gateway

2)on each VPN we have

2.1)remote policy with ip 10.201.104.30

2.2)local policy with one of the subnet 10.100.10.0/24


Then we crate a routing policy to route all traffic from a LAN to a specific SUBNET using the next hop a specific VPN

_________________________________________________

Now we have a brand new USG60 the question is :

Is the corrct aproach to build several VPN or can I build only one and then do something to set the local policy and routing in correct mode.

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @GST

    Welcome to Zyxel community

    Yes, if the policy route is correctly setup and the routing is correct, it is fine to build up one tunnel to access different subnet.

    Regarding to the topology you deployed, it’s our suggestion that you can implement VTI to achieve the purpose.

    VTI VPN Tunnel Interface is used to configure IPSec-based VPNs between site-to-site devices, and it similar to other physical interfaces so that policy route, static route and trunk can be applied when the tunnel is activated.

    Here is the FAQ of how to setup IPSec site-to-site VPN by using VTI on the USG .

    https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015634&lang=EN

  • GST
    GST Posts: 6
    First Comment

    I have tested the setting,

    In My config

    1) I have creaed a new VPN IPSEC Connection. I have Setted It a VPN Tunnl Interface and selected the correct VPN Gateway

    2) I have made a try to create a VTI but it return an error:

    2.1)name vti1

    2.2) the IP ......

    we have to show us as 10.201.104.30 (Remote policy)

    and we have to go on remote adress (Local Policy)

    10.100.9.0/24

    10.100.10.0/24

    10.211.12.0/24

    10.210.21.0/24

    10.209.21.0/24

    10.209.24.0/24

    How to translate as VTI??

    3)In previous config I have to set NAT

    where are SNAT

    3.1)OUT NAT

    source: lan1 subnet

    dest 10.100.9.0/24(Local policy)

    SNAT 10.201.104.30(Remote policy)

    3.1)IN NAT

    source:10.100.9.0/24(Local policy)

    dest 10.201.104.30(Remote policy)

    SNAT lan1 subnet

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @GST

    You can add your IP address into the group.

    And set a policy route to make these IP address go into VTI tunnel.

    Here is the step to add IP address into the group

    Go to Configuration > Object > Address/Geo IP > Address Group > click Add

    Then can setup the policy route for the these subnet.


  • GST
    GST Posts: 6
    First Comment
    mmm....
    i ended up doing this

    0) Create keep the old VPN Gatevay

    1) I have creaed a new VPN IPSEC Connection. I have Setted It a VPN Tunnl Interface and selected the correct VPN Gateway

    2) I setted the VTI as follow.
    zone IPSEC_VPN

    vpnrule the VPN at point 1
    ip adress 10.201.104.30(remote policy)

    net mask 255.0.0.0
    this choice is like rolling a diece without know what is the purpose of this setting or any help

    the i go in routing policy route.

    actualli I have N policy but is possible to zip in one with last suggestion
    source LAN1_subnet
    destination one of the local policy 10.100.9.0/24
    next hop interface VTI
    SNAT 10.201.104.30(remote policy)

    with my surprise this work in both direction so i have not to create the returning rule.


  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @GST

    Thanks for sharing your tips, this may help other users if they have the same problem.

Security Highlight