Linksys, Netgear, sonicwall, ect. Webbase configurations for firewalls. Web filting traffic shaping.
I set up a site-to-site VPN connection between two SA520. One is in our main office and connected to our internal LAN, the other is in our branch office. At our main office we have different subnets that needs to be accessible from the remote LAN. From the remote site I was only able to access the LAN directly connected to the main site SA520. On the main site SA520 and router I added the necessary routes to make shure the SA520 knows about the different networks. In my oppinion I should also add a route on the remote site for the different networks. But how can I add a route that directs through the VPN? Or is there an other way to make the different networks available for the remote site?
See also the drawing attached to this thread.
Thanks for your help,
Does the SA520 with the multiple LANs know of those subnets, or are they on a device behind the SA?
If the SA520 knows of the the LANs, what you will do is use the same IKE policy used for the first tunnel, and create an additional VPN Policy that defines the additional LANs. One VPN policy for each LAN you require. Adding the static routes will not perform the same function and this needs to be done with additional VPN policies.
Please let me know if that satisfies your needs.
The SA520 doesn know about the multiple LANs. The SA520 is connected to a router to which other routers with different networks are connected.
Thanks for your help,
What you will need to do in that case is setup the VPN tunnel so that it says any for the remote side and the LAN segment for the local side (even though not directly connected) You will need to do this for each LAN segment you want to access from the remote location. From there, you will get the traffic to traverse the IPSec tunnel and then your routes will take over and forward the traffic to the appropriate LAN.
So for example, the SAs will be configured:
Local - 192.168.75.1
Remote - 192.168.1.1
Local VPN Tunnel Config:
Local Traffic - 10.1.1.1/24 (local subnet not known or directly attached)
Remote Traffic - Any
The Remote VPN tunnel will be configured:
Local Traffic - 192.168.1.1
Remote Traffic - 10.1.1.1
Then a route in the Local SA will point to 10.1.1.1/24 interface.
This will allow the remote side with a packet destination of the 10.1.1.1 subnet to traverse the VPN tunnel, then hit the local SA. At that point it will look in the routing table, find your static route and be forwarded on.
Hope this helps
Thanks! With the "any" configuration I managed to reach the different networks.