topic Re: VPN Routing: Route all except for Internet traffic? in SASE and Remote Access

VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Wed, 09 Jan 2019 13:16:26 GMT

Hi,

we currently have a local Cluster of R77.30 Gateways with many VPN tunnels. We now want to install a bunch of centrally managed 1430 appliances in remote offices.

We normally use VPN Routing "To center, or through the center to other satellites, to internet and other VPN targets". The problem is that we want a local internet breakout on each remote office but need the "other VPN targets" from our local Cluster.

Is there a possibility to achieve this?

I appreciate your help

Marcel

Re: VPN Routing: Route all except for Internet traffic?

Jerry — Thu, 10 Jan 2019 10:51:29 GMT

--sk86582--

$FWDIR/lib/crypt.def

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Thu, 10 Jan 2019 12:16:54 GMT

I know about the crypt.def but I don't understand how I could solve my problem with it. Can I negate the destination IP so that only private IPs are sent through the tunnel? Would something like this work?:

vpn_exclude_dst!={<10.0.0.0,10.255.255.255>}

Maybe you can help.

Re: VPN Routing: Route all except for Internet traffic?

_Val_ — Thu, 10 Jan 2019 12:34:08 GMT

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Thu, 10 Jan 2019 12:51:38 GMT

Do you know how to get this working instead? I can't imagine that this is not possible.

Re: VPN Routing: Route all except for Internet traffic?

_Val_ — Thu, 10 Jan 2019 12:58:14 GMT

It depends on a use case. The easiest way to set up VPN is to use simplified domain based option. I can only guess why you have decided to go for VPN routing instead.

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Thu, 10 Jan 2019 13:29:24 GMT

To make things clear I made a quick picture:

Short:

- Our main firewall has many VPN tunnels with other companys etc.

- Our remote offices have one VPN tunnel with our main firewall

- The remote offices have to access the other VPN tunnels through the main firewall

- The remote offices should use the local internet connections

Any idea?

Re: VPN Routing: Route all except for Internet traffic?

_Val_ — Thu, 10 Jan 2019 13:38:42 GMT

> - The remote offices should use the local internet connections

It is a standard S2S VPN setup. Use domain based VPN, it will work out of the box. If you need to route Site 1 to Site 2 through the main FW, there is an option under VPN Community / VPN Routing to do that.

This is also written in the documentation, look into the admin guides

Re: VPN Routing: Route all except for Internet traffic?

Matthias_Haas — Fri, 11 Jan 2019 06:06:07 GMT

Hi Valeri,

does you proposal also cover this requirement ?

- The remote offices have to access the other VPN tunnels through the main firewall

If this explanation is correct confused-about-vpn-routing-options (which I believe), then your proposal will only work, if all satellites are in the same VPN community, which is not the case in Macrels setup. Or am I wrong ?

Matthias

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Fri, 11 Jan 2019 06:13:59 GMT

That's exactly my questions here. We normally have one community for a company - thats over 20 in total now. I tested again but it's not working. And I can't just put the remote office in the other community.

Re: VPN Routing: Route all except for Internet traffic?

Matthias_Haas — Fri, 11 Jan 2019 08:57:25 GMT

Hi Marcel,

I believe it will work only with a combination of Route Based VPN (for your 1430 appliances) and the Domain Based VPNs which I guess you have for your already established VPN Communites.

A mix of both modes on a gateway is possible as per sk109340

But: on a R77.30 Gateway, a Route based VPN would disable CoreXL: CoreXL Known Limitations, an update to R80.x might be an option.

Routed based VPN is supported on a 1430 appliance: Route Based VPN on R77.20.xx Gaia Embedded appliances but it will also disable Core XL.

You would have to test it carefully of course.

Matthias

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Fri, 11 Jan 2019 10:30:28 GMT

Hi Matthias,

thanks for your help. That sounds like an option but a pretty complex one...if there is no easy way to achieve this we will route all traffic through our main firewall. It works even if it's not the ideal solution.

Re: VPN Routing: Route all except for Internet traffic?

_Val_ — Sun, 13 Jan 2019 10:30:05 GMT

You over-complicate the issue. What you need is a single Star VPN community with your main cluster as center and remote offices are satellites. The second option, "to center and other satellites through enter" gives you what you need.

There is one caveat, not related to VPN. Make sure each of satellites has a different internal network IP range OR does unique NAT for internal addresses.

Re: VPN Routing: Route all except for Internet traffic?

Maarten_Sjouw — Wed, 16 Jan 2019 06:00:21 GMT

Why do you want to route traffic between remote sites through the center? Why don't you just use a simple Mesh community and allow the sites to talk to each other directly?

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Wed, 16 Jan 2019 06:10:10 GMT

I don't want to connect the remote offices but everyone has to access other VPN connections that we don't manage. It's not possible to change the whole VPN contruct here.

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Wed, 16 Jan 2019 06:15:10 GMT

It would be nice if I over-complicate the issue but I don't think so. The main point is:

- The remote offices have to access the other VPN tunnels through the main firewall

Every remote office has to access e.g. the Google Cloud via VPN but the connection has to go through the main firewall. And I cannot build a complete new setup where I only have one community for all VPNs.

Your solution doesn't work because the remote offices wouldn't route traffic for the Google Cloud to the main firewall. I double tested this scenario.

Re: VPN Routing: Route all except for Internet traffic?

_Val_ — Wed, 16 Jan 2019 08:07:36 GMT

Got it.

How is Google Cloud VPN configured on your main GW? If it is a community, you could enable directional VPN rules in your policy and do something like this:

You need to configure routing on the main GW that would make sure one tunnel cleart ext would go to another.

Did you consider such setup?

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Wed, 16 Jan 2019 12:35:24 GMT

Hi Valeri,

thank you for this option I never looked at. It quite nice in some other rules

But the problem still exists on the given setup. The problem is that the remote offices try to send traffic to e.g. the Google Cloud through the internet when the VPN routing isn't set to the third option. And if I do that everything is send through the tunnel.

Maybe I misunderstood you but the problem is still the same. And route based VPN is no option because of CoreXL etc.

Do you have any idea left? Maybe it's something that isn't possible no matter how long we think about it...

Re: VPN Routing: Route all except for Internet traffic?

_Val_ — Wed, 16 Jan 2019 14:52:00 GMT

Hello, how is Google Cloud VPN configured on your main cluster? Is it a community?

Re: VPN Routing: Route all except for Internet traffic?

Marcel_Gramalla — Wed, 16 Jan 2019 15:21:25 GMT

Sorry, it's configured as a star community with our main cluster as center. VPN routing is set to the second option.