Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 11556 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote XG VPN route

ViciousMagician1116

I have one main XG in the head office.  As of right now I also have 2 remote smaller Xg's that are connecting via ipsec back to the head office XG.  I have in the connection settings each remote network listed but they are not able to route to each other.  Is there something I am missing?  Can 2 remote XG's allow lan access to each other in a setup like this?



This thread was automatically locked due to age.
  • 0

    What is the networks? both Head office and Back offices?

  • 0 in reply to ErenERTAS

    Both site to site VPN's are setup as HeadOffice - BranchOffice

  • 0

    Hi Vic,

    yep it is possible.

    some Points to check:

    - VPN Definition in Branch A "Site2Site Branch-A to HeadOffice":

    Local Networks: "Net_Branch-A"

    Remote Networks: "Net_Branch-B, Net_HeadOffice"

     

    - VPN Definition in HeadOffice "Site2Site Branch-A to HeadOffice":

    Local Networks: "Net_Branch-B, Net_HeadOffice"

    Remote Networks: "Net_Branch-A"

     

    - VPN Definition in Branch B "Site2Site Branch-B to HeadOffice":

    Local Networks: "Net_Branch-B"

    Remote Networks: "Net_Branch-A, Net_HeadOffice"

     

    - VPN Definition in HeadOffice "Site2Site Branch-B to HeadOffice":

    Local Networks: "Net_Branch-A, Net_HeadOffice"

    Remote Networks: "Net_Branch-B"

     

    - Firewall Rule Head Office "VPN to VPN Net_Branch-A and Net_Branch-B to Net_Branch-B and Net_Branch-A"

    - Firewall Rule Branch-A "LAN to VPN Net_Branch-A to Net_Branch-B"

    - Firewall Rule Branch-A "VPN to LAN Net_Branch-B to Net_Branch-A"

    - Firewall Rule Branch-B "LAN to VPN Net_Branch-A to Net_Branch-B"

    - Firewall Rule Branch-B "VPN to LAN Net_Branch-B to Net_Branch-A"

     

    should work.

     

    if you additionally want to be able to manage the XG Firewalls through the Tunnel / to use your Head Offices Domain Services you'll Need to configure NAT Rules and IPsec Route for System Context.

    System IPSEC-Route:

    console> system ipsec_route add net <headofficesubnet>/<netmask> tunnelname <vpn_HeadOffice>

     

    System NAT-Rule (to tell wich internal IP to use for communication to head Office):

    console> set advanced-firewall sys-traffic-nat add destination <headofficesubnet> netmask <netmask> snatip <internal-IP-Of-XG>

     

     

    Yours Lukas

  • +1 in reply to ViciousMagician1116

    Woah there is a very long explanation of the issue, thanks for lca. but i think just adding firewall rule to apply LAN-VPN and VPN-LAN traffic should work.

  • 0 in reply to ErenERTAS

    I had a rule just for the traffic from both VPN's already added but I didn't realize I had another VPN to LAN rule above.  This one didn't have the 2 lans added to it and that was blocking it before it got to the separate added rule.