|
tjcorbin
Anon
2014-Dec-8 10:11 pm
Routing VPNHi,
(Zywall 110)
I have a config where: LAN1 - local network via interface, 192.168.30.0/24 desktop PC's etc. LAN2 - local network via interface, 192.168.187.0/24 Servers.
LAN2 has an IPsec VPN to a remote site, Local Policy LAN2, remote Policy 192.68.50.0/24 IPsec LAN2 has no problem works well.
However, I want to be able to 'ping' the 192.168.50.0 network devices from 192.168.30.0 (LAN1).
I think I may need SNAT but I cannot seem to make it work, even with the firewall turned off.
Any advice would be great.
Thanks
TJ |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-Dec-8 11:10 pm
Create additional VPN policy for the other network. |
|
|
to tjcorbin
I have tried various 'Policy Routes', I believe I may need SNAT but cannot seem to find a 'policy' which works. I have also tried various policy routes with the firewall disabled. So IP-Sec VPN between LAN2 and remote 192.168.53.0 is up and running. Traffic between these two is no problem. However, I want to allow traffic also between LAN1 and 192.168.53.0 Attachments show IPsec tunnel is up with policy, and example policy route which I have tried (I have tried all sorts). TJ |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-Dec-9 5:51 am
Sorry, I meant VPN connection policy ... additional tunnel for your LAN1-to-remote side. |
|
|
|
to tjcorbin
OK, I can see how that would work.
However, later I want to be able to L2TP into the Zyxel, and then route through to the remote system. Would this be possible. (there are multiple remote sites).
Thanks
TJ |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-Dec-9 6:41 pm
Don't believe so. ZyXel's IPSec implementation is non routable (it's not using VTI - Virtual Tunnel Interface) as such you'll need to setup L2TP on each side and L2TP VPN in to each side separately as required. |
|
|
to tjcorbin
OK thanks, understood. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav to Brano
Premium Member
2014-Dec-14 4:32 pm
to Brano
said by Brano:Don't believe so. ZyXel's IPSec implementation is non routable (it's not using VTI - Virtual Tunnel Interface) as such you'll need to setup L2TP on each side and L2TP VPN in to each side separately as required. Is that desirable?? |
|
JPedroT Premium Member join:2005-02-18 |
JPedroT
Premium Member
2014-Dec-14 4:38 pm
said by Anav:said by Brano:Don't believe so. ZyXel's IPSec implementation is non routable (it's not using VTI - Virtual Tunnel Interface) as such you'll need to setup L2TP on each side and L2TP VPN in to each side separately as required. Is that desirable?? If you have multiple sites and you want more control, then yes. But it always depends on what you want/need. I'd prefer the routed version if I was the sys admin vs a ton of tunnels between multiple sites. Each site should have 1 tunnel for all vpn traffic, imho. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Dec-14 5:28 pm
So your saying that a VTI interface is preferable? What about two ISP WAN connections, Im assuming you would then have two VPN tunnels ;-P |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2014-Dec-14 5:51 pm
|
|
JPedroT Premium Member join:2005-02-18 |
to Anav
said by Anav:So your saying that a VTI interface is preferable? What about two ISP WAN connections, Im assuming you would then have two VPN tunnels ;-P I am saying I would like to have it routed, but if VTI is the way to go is another thing Why, do you think that you need two multiple vpn tunnels. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Dec-15 11:35 am
Why do you question my desire to have a VPN tunnel coming in on one ISP and another on a different ISP. The unmitigated gall! What good is a dual wan router if your VPN goes down due to being tied to one ISP. Perhaps you have different requirements that lend itself to coming in on different ISPs. |
|
JPedroT Premium Member join:2005-02-18 |
JPedroT
Premium Member
2014-Dec-15 11:42 am
said by Anav:What good is a dual wan router if your VPN goes down due to being tied to one ISP. Perhaps you have different requirements that lend itself to coming in on different ISPs. And the VPN tunnel can not change WAN port automatically, when one link goes down? |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Dec-15 3:40 pm
So a smart phone user wishing to start a session will get to a non-existing wanip. Life is not just for those already connected LOL |
|
JPedroT Premium Member join:2005-02-18 |
JPedroT
Premium Member
2014-Dec-15 8:27 pm
said by Anav:So a smart phone user wishing to start a session will get to a non-existing wanip. Life is not just for those already connected LOL Dont even understand that.... If you use the uri for the gw instead of an ip and then automatically update the dns with the active gw ip, it should not be an issue.... |
|