• Advertisement

SA520

Linksys, Netgear, sonicwall, ect. Webbase configurations for firewalls. Web filting traffic shaping.

SA520

Postby Guest » Sun Mar 07, 2010 2:13 pm

Hello

 

I set up a site-to-site VPN connection between two SA520. One is in our main office and connected to our internal LAN, the other is in our branch office. At our main office we have different subnets that needs to be accessible from the remote LAN. From the remote site I was only able to access the LAN directly connected to the main site SA520. On the main site SA520 and router I added the necessary routes to make shure the SA520 knows about the different networks. In my oppinion I should also add a route on the remote site for the different networks. But how can I add a route that directs through the VPN? Or is there an other way to make the different networks available for the remote site?

See also the drawing attached to this thread.

 

Thanks for your help,

Sascha

Guest
 

Advertisement

Re:SA520

Postby Guest » Sun Mar 07, 2010 3:32 pm

Hi Sascha,

 

Does the SA520 with the multiple LANs know of those subnets, or are they on a device behind the SA?

 

If the SA520 knows of the the LANs, what you will do is use the same IKE policy used for the first tunnel, and create an additional VPN Policy that defines the additional LANs.  One VPN policy for each LAN you require.  Adding the static routes will not perform the same function and this needs to be done with additional VPN policies.

 

Please let me know if that satisfies your needs.


Thanks!


Dave

Guest
 

Re:SA520

Postby Guest » Sun Mar 07, 2010 4:23 pm

Hi Dave,

 

The SA520 doesn know about the multiple LANs. The SA520 is connected to a router to which other routers with different networks are connected.

 

Thanks for your help,

Sascha

Guest
 

Re:SA520

Postby Guest » Sun Mar 07, 2010 6:02 pm

Hi Sascha,


What you will need to do in that case is setup the VPN tunnel so that it says any for the remote side and the LAN segment for the local side (even though not directly connected)  You will need to do this for each LAN segment you want to access from the remote location.  From there, you will get the traffic to traverse the IPSec tunnel and then your routes will take over and forward the traffic to the appropriate LAN.

 

So for example, the SAs will be configured:

 

Local - 192.168.75.1

Remote - 192.168.1.1

 

Local VPN Tunnel Config:

 

Local Traffic - 10.1.1.1/24 (local subnet not known or directly attached)

Remote Traffic - Any

 

The Remote VPN tunnel will be configured:


Local Traffic - 192.168.1.1

Remote Traffic - 10.1.1.1

 

Then a route in the Local SA will point to 10.1.1.1/24 interface.

 

This will allow the remote side with a packet destination of the 10.1.1.1 subnet to traverse the VPN tunnel, then hit the local SA.  At that point it will look in the routing table, find your static route and be forwarded on.

 

Hope this helps


Thanks!

 

Dave

Guest
 

Re:SA520

Postby Guest » Sun Mar 07, 2010 6:43 pm

Hi Dave

 

Thanks! With the "any" configuration I managed to reach the different networks.

Guest
 



  • Advertisement


Similar topics


Return to Small Business Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron