how-to block ads
need help setting up forwarding in two different vpn areas scenario: three office A, B C in three different location
A and B has a lease line connection by a vpn -supplier by isp (i have no control on the router. all routing from B to A is through a router X (ip :192.168.1.155)
B and C has a vpn set up by my self using zywall usg50 and usg20. in the usg 50 office. how can I set up the routing or forwarding so that I can access a server in A from C through all the three routers?
I need to do that as the connection between A C are very very slow (so even I set up my own vpn is meaningless) while from B to C are good and A to B are very good which is the reason why I want to access server in A from C through B.
You are not providing enough information to be sure, but it is unlikely that you can achieve what you want without also adding a static route on router X for which you say you have no control.
I'm also not understanding the connectivity between the sites A,B and C. If you say the VPN connection between A and B is very good then that implies that both site A and site B have very good Internet connections. Furthermore you describe the VPN communication between B and C as good which means that even site C has a good Internet connection.
It seems that there has to be something wrong with the A-C VPN tunnel if it is slow when site A has a very good and site C a good Internet connection ?
For a 3 site (A,B,C) VPN with only two tunnels (A-B and B-C) the typical setup is:
- router A has static routes for B, C through tunnel A-B
- router B has static route for A through tunnel A-B as well as static route for C through tunnel B-C
- router C has static routes for A, B through tunnel B-C
- default route in all routers is to the Internet provider.
In your case, site B has two routers each responsible for one of the VPN tunnels (instead of one router with two tunnels) however you do not explain the topology of the site. Is it: Internet -> ISP owned router X -> USG -> site B computers,etc ? In this case router X would need to be configured to forward traffic for site C to the USG. There is a way to achieve what you want without reconfiguring router X but that would require changing all the IP assignments at site C and site B (splitting the existing B network into two subnets one used for B and one for C). It seems to me it would be easier to ask the ISP to make the configuration change to router X.
However the first step ought to be investigating why the A-C tunnel is not performing properly.
Got some spare cpu cycles ? Join Team Helix or Team Starfire!
as Site A is in HK, while site B, C are within China, Site A & C can already connect by normal internet but it is very very slow and unstable. The leaseline between site A and B has guarantee bandwidth, while if we use the normal internet to connect out of china, everything will be very slow, which is the reason why we try to set up office C to access server in A through site B.
it is unlike that the isp will allow me to use my usg50 or 20 to format a vpn with its current vpn between A & B. So from your comment I have two choices
1) if I ask them to do some settings in their routers (between A & B), what should I ask them to do in the router so that I can go through the lease line even i am in site C?
2) splitting the existing B network into two subnets, (I don't really mind to do that as later we may need to do the same thing for site D, E and F and it will be much easier if we can control everything ourselves.) how can I do that? if my current subnets is 192.168.1.0/255.255.255.0 in site B, what should I do in my usg 50 in site B?