l2tp-VPN Routing

Options
mm_bret
mm_bret Posts: 56  Ally Member
First Anniversary 10 Comments
edited April 2021 in Security

We have USG 1000 devices.

Our outside sales staff connects to our data center using l2tp vpn connections. We have also configured those connections to have internet access through the l2tp vpn while on their remote devices.

While on the l2tp vpn, our client devices use Remote Desktop to connect to the San Jose data center.


My question is:

Is it possible to route remote desktop connections only to another server located in Chicago?

I'll bet there is, but I don't know how.

Thanks for help with this.

All Replies

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I think what your looking for is a site-to-site tunnel.

    https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=010549&lang=EN

  • mm_bret
    mm_bret Posts: 56  Ally Member
    First Anniversary 10 Comments
    Options

    Thanks for jumping in.

    We currently have site to site tunnels from our San Jose data center to all our retail showrooms and the Chicago data center.

    But what I want to do is to still have our outside sales staff connect to the San Jose data center, but route specific RDP requests to the Chicago data center. (which we have a site to site tunnel).

    This is because we're moving our terminal server cluster to Chicago.

    Perhaps another bit of info. The lt2p vpn connections are issued 10.1.1.10 - 10.1.1.20 subnet ip numbers. But they can Remote Desktop to the trusted lan ip #'s which are 192.168.1.0/24. This is a standard feature of l2tp vpns.

    Normally, when establishing an l2tp vpn connection from a remote device (laptop etc), all internet services which were operational before the l2tp vpn connection is made are shut down. This creates a secure single connection between the two devices.

    An additional element of the l2tp configuration which is needed to allow web browsing from an l2tp connected device, are two routing table entries.

    It is possible, I could give the lt2p subnet connections a new set of issued ip address, to put them on the same chicago subnet of 172.24...

    I just figure a routing entry or firewall entry or something would route devices connected to the San Jose data center USG 1000 to the Chicago data center.

    I'll be playing with configuration ideas, but any (been there done that) ideas are most welcome.

    Best

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    Options

    If l2tp client to San Jose---Ipsec VPN---- Chicago----RDP Server.

    add routing on San Jose site,

    Source: L2TP client,Destination: Server,Next Hop: VPN tunnel.

    On Chicago site,

    routing: Source: Any, Destination: L2TP client, Next Hop: VPN tunnel

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)