Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 890 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Connection between two sites A and B but only certain VLANS to certain Remote VLANS in site B

Atilio Servian

I have site A  with  the follow Vlans  A1 A2 A3 A4 A5,         Site B  with  the follow Vlans  B1 B2 B3 B4 B5

If I configure one VPN between A and B  with all Vlans included, i will have a total of  15 conections (5+4+3+2+1).. all A1 to A5  to B1 to B5 posible conections .

I just  need to stablish a VPN (IPsec) site to site  o Routed Base VPN or SSL VPN site to site  as follow 

A1   with   B1 B2 B3

A2 with B2 B5

A3 with B3

A4 with B4

A5 with B4 B5

In total just need 9 conections some of them like A4 just visible to B4

Wich way or how i must configure each side  ??

Thanks for your help



This thread was automatically locked due to age.
Parents
  • 0

    According my own example ..... i try a way with 5  differents  IPSec conections between this two sites (1 for each Ax Vlan) ....all 5 IPsec Conections use the same  IPsec Policies (same Pre shared keys)   with the same  local and remote  destination....  same FW rules including all Vlans for in and out at both sides .... in my llab it works pinging .... ..   Is this correct  ???   there is a better way  ??

  • FormerMember
    0 FormerMember in reply to Atilio Servian

    Hi ,

    You only need one IPSec connection, and you can create a static route for the destination network and point them towards the xfrm interface. 

    Check out the following document for more info: 

    If you want to restrict access from and to certain networks, you can do it with the firewall rules.

    For example: 

    Thanks,

  • 0 in reply to FormerMember

    Dear Harsh Patel... thanks for your answer .... 

    I understand that i need just one  IPsec conection ....i can select all 5 A  vlans to connect all 5 B   vlans ... that will create 15 particular conections between vlans ...

    So ... if i need to connect vlans as my example and also  restrict some vlans to remote vlans...  i will need  5 (five) FW rules  in and 5 (five) FW rules out (10 Fw rules)   ??  i think the answer is yes for the  5 Fw rules in   and  5 Fw rules out  (please correct me if i wrong) ....

    Tell me...what about my suggest  to create  5  IPsec conection   to achive   as follow   1rst  IPsec:    A1 with B1 B2 B3     2nd IPSec A2 with B2 B5  etc..   and only use   1  FW rule for in   and 1 FW rule for out  

    Wich one is less resource consuming or more efficiente for the XG Firewall  ??

    i think the 5 IPsec connection probably use more resources but the Fw rule configuration ir more complex in case we have  several   remote sites connected to a main site ....  is that right ??)

    About the  RB VPN  i already been tested that alternative  but i think since the IPsec connection do not specify the A site Vlans and B site destination VLANs ... i will have the same problem .... how to indicate what Vlan will connect to the B   Vlans as my example

    When configuring the Route for destination you only specify one destination network (not the source).., and in this example we will need  5 routes to get all B Vlans..... and since a route is general for traffic.... we can't restric what vlan A  will conecto to remote vlans B 

    I also understand the way to restrict will be with with  5 (five) FW rules   in and 5 (five) FW rules out  (10 Fw rules total)

    Please comment .. correct me  o suggest a  best way to achive the example

    Thanks in advance

Reply
  • 0 in reply to FormerMember

    Dear Harsh Patel... thanks for your answer .... 

    I understand that i need just one  IPsec conection ....i can select all 5 A  vlans to connect all 5 B   vlans ... that will create 15 particular conections between vlans ...

    So ... if i need to connect vlans as my example and also  restrict some vlans to remote vlans...  i will need  5 (five) FW rules  in and 5 (five) FW rules out (10 Fw rules)   ??  i think the answer is yes for the  5 Fw rules in   and  5 Fw rules out  (please correct me if i wrong) ....

    Tell me...what about my suggest  to create  5  IPsec conection   to achive   as follow   1rst  IPsec:    A1 with B1 B2 B3     2nd IPSec A2 with B2 B5  etc..   and only use   1  FW rule for in   and 1 FW rule for out  

    Wich one is less resource consuming or more efficiente for the XG Firewall  ??

    i think the 5 IPsec connection probably use more resources but the Fw rule configuration ir more complex in case we have  several   remote sites connected to a main site ....  is that right ??)

    About the  RB VPN  i already been tested that alternative  but i think since the IPsec connection do not specify the A site Vlans and B site destination VLANs ... i will have the same problem .... how to indicate what Vlan will connect to the B   Vlans as my example

    When configuring the Route for destination you only specify one destination network (not the source).., and in this example we will need  5 routes to get all B Vlans..... and since a route is general for traffic.... we can't restric what vlan A  will conecto to remote vlans B 

    I also understand the way to restrict will be with with  5 (five) FW rules   in and 5 (five) FW rules out  (10 Fw rules total)

    Please comment .. correct me  o suggest a  best way to achive the example

    Thanks in advance

Children
No Data