how can we create a ip sec vpn site to site with more than 1 subnet on the destination site
Options
zyxel65376476876
Posts: 1
USG20-VPN V4.32(ABAQ.0)
how can we create a ip sec vpn site to site with more than 1 subnet on the destination site
in remote policy subnet is added but cant select address group there - only 1 subnet
can't select address group that i created with multi subnets on the vpn connection page
on sonicwall i created groups that could be selcted under the vpn connection page
please can someone help or knows the trick with zyxel
how can we create a ip sec vpn site to site with more than 1 subnet on the destination site
in remote policy subnet is added but cant select address group there - only 1 subnet
can't select address group that i created with multi subnets on the vpn connection page
on sonicwall i created groups that could be selcted under the vpn connection page
please can someone help or knows the trick with zyxel
0
All Replies
-
There multiple solutions,
1. Using policy route to forward traffic to destination into the VPN tunnel on both side.
2. Using route-based VTI VPN instead of policy-based VPN.
3. Create another tunnel (if using policy-based VPN)
0 -
Agree with Ian in the previous post . We use (2) over VTI tunnels. Very straight forward with the exception of Policy control.
1. Policy Controls
You will need policy controls to permit access from zone IPSEC_VPN to LAN1 and LAN2 zones wit the usual filter of SOURCE and DESTINATION.
Do the same if you need to access L2TP clients via the VTI tunnel as well.
Enable details logging (to an external server) so you can test it all out. You'll find the traffic goes through however you be getting whacked on the other end as the Policy control with thwart the connection. ... it's easy to see i the logging.
2. Policy Routes
i.e Incoming VTI(1....n) , SOURCE=(external lan at a peer), Destination=filter_where_it_can_go, NEXT HOP.....+ etc, etc
You may need to enable SNAT where OUTGOING is a VTI tunnel ... otherwise the packets get lost ..
Use packet tracing in the USG (parse with Wireshark) and also the USG logging. (best to write logs from the USG appliances routers etc) to an external server ... (use syslog-ng or similar on mac os etc)
HTH
Warwick
Hong Kong0
Master Member
Ally Member
Categories
- All Categories
- 392 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 220 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
