This article explains how to route traffic from IPSec VPN clients into another tunnel to reach devices behind a site-to-site connection.
Attention: This didn´t work with Dynamic VPN! Please select only Site2Site VPN!
In order to route IPSec VPN clients into another tunnel, they need to use fixed IP addresses.
If it is required to route many different clients it is recommended to use IPs that are close to each other so a range can be created. This reduces the number of necessary routes.
The subnet in which the IP addresses are located does not have to be present on the firewall.
Enter the fixed IP address on the IPSec VPN Client
On the firewall, navigate to
Configuration > Object > Address
and click on
to create the range for the IPSec VPN Client IP addresses.
Now we can add the necessary routes under
Configuration > Network > Routing
with a click on the
We need to create two routes:
- One for the outgoing traffic, so from the dynamic VPN-client tunnel to the remote subnet over the site-to-site tunnel.
- One for the incoming traffic, so from the remote subnet over the site-to-site tunnel into the VPN-client tunnel.
The new routes should look similar to this:
On the remote site, it might be necessary to have similar routes created so the device on the main site knows how to handle the traffic from the VPN-clients coming from the branch site.
On the HQ site, we create the IP-range for the remote VPN clients so we can use it to route the traffic.
Now we create the corresponding routes on the HQ site as well.
One outgoing route, so from the HQ subnet over the site-to-site tunnel to the remote VPN-clients.
And one incoming route, so from the remote VPN-client range over the site-to-site tunnel into the local LAN of HQ. If traffic is routed into a local subnet we select "Auto" as next-hop, the USG manages this automatically.
The routes should look something like this:
+++ You can buy licenses for your Zyxel VPN clients (SSL VPN, IPsec) with immediate delivery by 1-click: Zyxel Webstore +++