Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 30 subscribers
  • Views 9107 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec tunnel for "all trafic but"...

David Touitou

Hello.

 

Let's say I have a remote site with a fiber connection to the internet.
And a central site that is actually in a datacenter.

At the remote site, I have a XG105 and in the central site it's a XG virtual appliance.

Currently, we have IPsec a tunnel between the XG105 and XG virtual appliance, with a "any-to-any" rule.
The IPsec connexion on remote site is setup with "any" as "Remote Subnets".
This works great (all trafic goes into tunnel - including internet trafic, web filtering happens in datacenter, etc).

Now, we'd like a little change: we'd like some trafic (VoIP trafic) to go out on the internet immediately out of the XG105.
We don't want it to go in the tunnel anymore.

I tried to add an according firewall rule on the XG105 that does it.
Obviously this rule is before the LAN-to-VPN rule (it's the first rule in the rule set).
It doesn't work: the trafic is not "intercepted" by the firewall rule and still goes in the tunnel.

So I guess I have to change the "Remote Subnets" as defined in the IPsec Connection.

How can I do that?
I'd like to define a "any but a couple IP" (VoIP servers) subnet.

Any hint (or different way to address the problem) would be appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    You already have XG at remote site with Internet, why are you diverting the internet traffic to Central site. You can apply the same policies as at central on remote site. The easier way and you are keeping your central bandwidth utilisation free. You can utilise the remote site internet bandwidth for local internet and reduce the overhead on Central Site Internet bandwidth.

    We too have locations with such scenario, we have created LAN to WAN rule with all the required policies and checks applied. for IPSec tunnel LAN to VPN and VPN to LAN rules are created. we have 6 Mbps links at location and at Central 30Mbps. this way we are utilising the 6Mbps of location and saving/utilising the central bandwidth for other locations IPSec tunnel and Central Site internet traffic.

    You can apply traffic shaping / QoS on rules too to manage bandwidth. HTH

Reply
  • 0

    You already have XG at remote site with Internet, why are you diverting the internet traffic to Central site. You can apply the same policies as at central on remote site. The easier way and you are keeping your central bandwidth utilisation free. You can utilise the remote site internet bandwidth for local internet and reduce the overhead on Central Site Internet bandwidth.

    We too have locations with such scenario, we have created LAN to WAN rule with all the required policies and checks applied. for IPSec tunnel LAN to VPN and VPN to LAN rules are created. we have 6 Mbps links at location and at Central 30Mbps. this way we are utilising the 6Mbps of location and saving/utilising the central bandwidth for other locations IPSec tunnel and Central Site internet traffic.

    You can apply traffic shaping / QoS on rules too to manage bandwidth. HTH

Children
No Data