dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
720

tjcorbin
@219.89.195.x

tjcorbin

Anon

Routing VPN

Hi,

(Zywall 110)

I have a config where:
LAN1 - local network via interface, 192.168.30.0/24 desktop PC's etc.
LAN2 - local network via interface, 192.168.187.0/24 Servers.

LAN2 has an IPsec VPN to a remote site, Local Policy LAN2, remote Policy 192.68.50.0/24
IPsec LAN2 has no problem works well.

However, I want to be able to 'ping' the 192.168.50.0 network devices from 192.168.30.0 (LAN1).

I think I may need SNAT but I cannot seem to make it work, even with the firewall turned off.

Any advice would be great.

Thanks

TJ

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Create additional VPN policy for the other network.
tjcorbin
join:2014-12-08
new zealand

tjcorbin to tjcorbin

Member

to tjcorbin
Click for full size
Click for full size
I have tried various 'Policy Routes', I believe I may need SNAT but cannot seem to find a 'policy' which works.

I have also tried various policy routes with the firewall disabled.

So IP-Sec VPN between LAN2 and remote 192.168.53.0 is up and running. Traffic between these two is no problem. However, I want to allow traffic also between LAN1 and 192.168.53.0

Attachments show IPsec tunnel is up with policy, and example policy route which I have tried (I have tried all sorts).

TJ

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Sorry, I meant VPN connection policy ... additional tunnel for your LAN1-to-remote side.
tjcorbin
join:2014-12-08
new zealand

tjcorbin to tjcorbin

Member

to tjcorbin
OK, I can see how that would work.

However, later I want to be able to L2TP into the Zyxel, and then route through to the remote system. Would this be possible. (there are multiple remote sites).

Thanks

TJ

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Don't believe so. ZyXel's IPSec implementation is non routable (it's not using VTI - Virtual Tunnel Interface) as such you'll need to setup L2TP on each side and L2TP VPN in to each side separately as required.
tjcorbin
join:2014-12-08
new zealand

tjcorbin to tjcorbin

Member

to tjcorbin
OK thanks, understood.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to Brano

Premium Member

to Brano
said by Brano:

Don't believe so. ZyXel's IPSec implementation is non routable (it's not using VTI - Virtual Tunnel Interface) as such you'll need to setup L2TP on each side and L2TP VPN in to each side separately as required.

Is that desirable??
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

said by Anav:

said by Brano:

Don't believe so. ZyXel's IPSec implementation is non routable (it's not using VTI - Virtual Tunnel Interface) as such you'll need to setup L2TP on each side and L2TP VPN in to each side separately as required.

Is that desirable??

If you have multiple sites and you want more control, then yes. But it always depends on what you want/need.

I'd prefer the routed version if I was the sys admin vs a ton of tunnels between multiple sites. Each site should have 1 tunnel for all vpn traffic, imho.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

So your saying that a VTI interface is preferable?
What about two ISP WAN connections, Im assuming you would then have two VPN tunnels ;-P

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

Some reading
»security.stackexchange.c ··· -process

»www.cisco.com/en/US/docs ··· ctm.html
JPedroT
Premium Member
join:2005-02-18

JPedroT to Anav

Premium Member

to Anav
said by Anav:

So your saying that a VTI interface is preferable?
What about two ISP WAN connections, Im assuming you would then have two VPN tunnels ;-P

I am saying I would like to have it routed, but if VTI is the way to go is another thing

Why, do you think that you need two multiple vpn tunnels.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Why do you question my desire to have a VPN tunnel coming in on one ISP and another on a different ISP. The unmitigated gall!
What good is a dual wan router if your VPN goes down due to being tied to one ISP. Perhaps you have different requirements that lend itself to coming in on different ISPs.
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

said by Anav:

What good is a dual wan router if your VPN goes down due to being tied to one ISP. Perhaps you have different requirements that lend itself to coming in on different ISPs.

And the VPN tunnel can not change WAN port automatically, when one link goes down?

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

So a smart phone user wishing to start a session will get to a non-existing wanip. Life is not just for those already connected LOL
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

said by Anav:

So a smart phone user wishing to start a session will get to a non-existing wanip. Life is not just for those already connected LOL

Dont even understand that....

If you use the uri for the gw instead of an ip and then automatically update the dns with the active gw ip, it should not be an issue....