This article explains how to route traffic from IPSec VPN clients into another tunnel to reach devices behind a site-to-site connection.
Attention: This didn´t work with Dynamic VPN! Please select only Site2Site VPN!
Configuration:
In order to route IPSec VPN clients into another tunnel, they need to use fixed IP addresses.
If it is required to route many different clients it is recommended to use IPs that are close to each other so a range can be created. This reduces the number of necessary routes.
The subnet in which the IP addresses are located does not have to be present on the firewall.
Enter the fixed IP address on the IPSec VPN Client
On the firewall, navigate to
Configuration > Object > Address
and click on
Add
to create the range for the IPSec VPN Client IP addresses.
Now we can add the necessary routes under
Configuration > Network > Routing
with a click on the
Add
We need to create two routes:
- One for the outgoing traffic, so from the dynamic VPN-client tunnel to the remote subnet over the site-to-site tunnel.
- One for the incoming traffic, so from the remote subnet over the site-to-site tunnel into the VPN-client tunnel.
The new routes should look similar to this:
On the remote site, it might be necessary to have similar routes created so the device on the main site knows how to handle the traffic from the VPN-clients coming from the branch site.
On the HQ site, we create the IP-range for the remote VPN clients so we can use it to route the traffic.
Now we create the corresponding routes on the HQ site as well.
One outgoing route, so from the HQ subnet over the site-to-site tunnel to the remote VPN-clients.
And one incoming route, so from the remote VPN-client range over the site-to-site tunnel into the local LAN of HQ. If traffic is routed into a local subnet we select "Auto" as next-hop, the USG manages this automatically.
The routes should look something like this:
+++ You can buy licenses for your Zyxel VPN clients (SSL VPN, IPsec) with immediate delivery by 1-click: Zyxel Webstore +++
Comments
2 comments
Thank you, this article was really helpful.
One thing I noticed while working on this is that I am not able to select our EZMODE site-to-site VPN as the Next Hop VPN Tunnel in the outgoing rule or as the Member in the incoming rule. Maybe because EZMODE doesn't define the objects, just uses addresses?
I'm sure they will be available if I define a site-to-site VPN without using EZMODE but I'm not going to do that off-site and without a maintenance window scheduled. The routing issue is an inconvenience but not a deal-breaker so it can wait, but this article is what I needed. Thanks again.
Dear Brian,
This is a limitation set on purpose. VPN tunnel created via Easy Mode can't be used.
It is to avoid a conflict of the settings between the different modes.
The only solution is to create a VPN tunnel in Expert Mode.
Kind regards,
René Kocgazi
Please sign in to leave a comment.