How to configure routing for L2TP over IPSec clients to a remote office via an IPSec tunnel on ZyWALL USG series hardware gateways?
(Using ZyWALL USG 50 as an example)
Let's consider the following topology:
There are 2 offices, A and B (each office has a ZyWALL USG series hardware gateway installed). They are connected by an IPSec VPN tunnel. Remote L2TP over IPSec clients connect to each office via the Internet.
The task: configure routing so that all L2TP over IPSec clients can access the local subnet of offices A and B, regardless of which office the client connects to.
The essence of the configuration boils down to creating two routes on both security gateways:
1. All traffic (with any source IP addresses) directed to the remote subnet will be routed into the IPSec VPN tunnel. This route is necessary because the IP addresses of L2TP over IPSec clients are not within the range specified in VPN Connections for the connection between the two offices. Traffic will not automatically be routed into the tunnel.
2. The second route will instruct the gateway that traffic with destination IP addresses from the remote L2TP over IPSec client range should be sent through the IPSec tunnel between the offices, or traffic intended for remote L2TP over IPSec clients should be routed via the IPSec tunnel between the offices. Without this route, responses to requests will not be delivered.
Let's review the parameters of our test setup:
| ZyWALL USG 50 (Office A) | ZyWALL USG 100 (Office B) |
wan1: 10.0.0.2 (in a real setup this should be a global static IP address) | wan1: 10.0.1.2 (in a real setup this should be a global static IP address) |
Configuring ZyWALL USG 50 from Office A
To configure interfaces, go to Configuration > Network > Interface and select the Ethernet tab.
To create the objects needed for routing configuration, go to Configuration > Object > Address.
In addition to the subnets for L2TP over IPSec clients, you also need to create an object of type INTERFACE IP for the wan1 interface and an object of type SUBNET defining the remote subnet of Office B. This is necessary for configuring the L2TP over IPSec tunnel and the IPSec tunnel between offices.
The L2TP over IPSec tunnel and the IPSec tunnel between offices should be configured in Configuration > VPN > IPSec VPN > VPN Gateway and Configuration > VPN > IPSec VPN > VPN Connection.
To configure routing rules, go to Configuration > Network > Routing > Policy Route.
Settings of the first route:
Settings of the second route:
Next, you need to configure the firewall. To configure firewall rules, go to Configuration > Network > Firewall.
In our setup, the main condition for allowing packets through the firewall is binding both tunnels to the same zone, where traffic between interfaces in the zone is allowed (Block Intra-zone – no).
There should also be rules allowing traffic from this zone to the local network and from the local network to this zone.
Configuring ZyWALL USG 100 from Office B
To configure interfaces, go to Configuration > Network > Interface and select the Ethernet tab.
To create the objects needed for routing configuration, go to Configuration > Object > Address.
In addition to the subnets for L2TP over IPSec clients, you also need to create an object of type INTERFACE IP for the wan1 interface and an object of type SUBNET defining the remote subnet of Office A. This is necessary for configuring the L2TP over IPSec tunnel and the IPSec tunnel between offices.
The L2TP over IPSec tunnel and the IPSec tunnel between offices should be configured in Configuration > VPN > IPSec VPN > VPN Gateway and Configuration > VPN > IPSec VPN > VPN Connection.
To configure routing rules, go to Configuration > Network > Routing > Policy Route.
Settings of the first route:
Settings of the second route:
Next, you need to configure the firewall. To configure firewall rules, go to Configuration > Network > Firewall.
In our setup, the main condition for allowing packets through the firewall is binding both tunnels to the same zone, where traffic between interfaces in the zone is allowed (Block Intra-zone – no).
There should also be rules allowing traffic from this zone to the local network and from the local network to this zone.
Comments
0 commentsPlease sign in to leave a comment.