cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

VPN Routing: Route all except for Internet traffic?

Hi,

we currently have a local Cluster of R77.30 Gateways with many VPN tunnels. We now want to install a bunch of centrally managed 1430 appliances in remote offices.

We normally use VPN Routing "To center, or through the center to other satellites, to internet and other VPN targets". The problem is that we want a local internet breakout on each remote office but need the "other VPN targets" from our local Cluster.

Is there a possibility to achieve this?

I appreciate your help

Marcel

20 Replies
Jerry
Gold

Re: VPN Routing: Route all except for Internet traffic?

--sk86582--

$FWDIR/lib/crypt.def 

Jerry
0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

I know about the crypt.def but I don't understand how I could solve my problem with it. Can I negate the destination IP so that only private IPs are sent through the tunnel? Would something like this work?:

vpn_exclude_dst!={<10.0.0.0,10.255.255.255>}

Maybe you can help.

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

No

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

Do you know how to get this working instead? I can't imagine that this is not possible.

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

It depends on a use case. The easiest way to set up VPN is to use simplified domain based option. I can only guess why you have decided to go for VPN routing instead.

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

To make things clear I made a quick picture:

Short:

- Our main firewall has many VPN tunnels with other companys etc.

- Our remote offices have one VPN tunnel with our main firewall

- The remote offices have to access the other VPN tunnels through the main firewall

- The remote offices should use the local internet connections

Any idea?

Re: VPN Routing: Route all except for Internet traffic?

- The remote offices should use the local internet connections 

It is a standard S2S VPN setup. Use domain based VPN, it will work out of the box. If you need to route Site 1 to Site 2 through the main FW, there is an option under VPN Community / VPN Routing to do that.

 

This is also written in the documentation, look into the admin guides

Re: VPN Routing: Route all except for Internet traffic?

Hi Valeri,

does you proposal also cover this requirement ?

- The remote offices have to access the other VPN tunnels through the main firewall

If this explanation is correct confused-about-vpn-routing-options (which I believe), then your proposal will only work, if all satellites are in the same VPN community, which is not the case in Macrels setup. Or am I wrong ?

Matthias

Re: VPN Routing: Route all except for Internet traffic?

That's exactly my questions here. We normally have one community for a company - thats over 20 in total now. I tested again but it's not working. And I can't just put the remote office in the other community.

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

Hi Marcel,

I believe  it will work only with a combination of Route Based VPN (for your 1430 appliances) and the Domain Based VPNs which I guess you have for your already established VPN Communites.

A mix of both modes on a gateway is possible as per sk109340

But: on a R77.30 Gateway, a Route based VPN would disable CoreXL: CoreXL Known Limitations, an update to R80.x might be an option.

Routed based VPN is supported on a 1430 appliance: Route Based VPN on R77.20.xx Gaia Embedded appliances but it will also disable Core XL.

You would have to test it carefully of course.

Matthias

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

Hi Matthias,

thanks for your help. That sounds like an option but a pretty complex one...if there is no easy way to achieve this we will route all traffic through our main firewall. It works even if it's not the ideal solution.

0 Kudos
Maarten_Sjouw
Platinum

Re: VPN Routing: Route all except for Internet traffic?

Why do you want to route traffic between remote sites through the center? Why don't you just use a simple Mesh community and allow the sites to talk to each other directly?

Regards, Maarten
0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

I don't want to connect the remote offices but everyone has to access other VPN connections that we don't manage. It's not possible to change the whole VPN contruct here.

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

You over-complicate the issue. What you need is a single Star VPN community with your main cluster as center and remote offices are satellites.  The second option, "to center and other satellites through enter" gives you what you need.

There is one caveat, not related to VPN. Make sure each of satellites has a different internal network IP range OR does unique NAT for internal addresses.

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

It would be nice if I over-complicate the issue but I don't think so. The main point is:

- The remote offices have to access the other VPN tunnels through the main firewall

Every remote office has to access e.g. the Google Cloud via VPN but the connection has to go through the main firewall. And I cannot build a complete new setup where I only have one community for all VPNs.

Your solution doesn't work because the remote offices wouldn't route traffic for the Google Cloud to the main firewall. I double tested this scenario.

Re: VPN Routing: Route all except for Internet traffic?

Got it.

How is Google Cloud VPN configured on your main GW? If it is a community, you could enable directional VPN rules in your policy and do something like this:



You need to configure routing on the main GW that would make sure one tunnel cleart ext would go to another.

Did you consider such setup?

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

Hi Valeri,

thank you for this option I never looked at. It quite nice in some other rules Smiley Happy

But the problem still exists on the given setup. The problem is that the remote offices try to send traffic to e.g. the Google Cloud through the internet when the VPN routing isn't set to the third option. And if I do that everything is send through the tunnel.

Maybe I misunderstood you but the problem is still the same. And route based VPN is no option because of CoreXL etc.

Do you have any idea left? Maybe it's something that isn't possible no matter how long we think about it...

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

Hello, how is Google Cloud VPN configured on your main cluster? Is it a community?

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

Sorry, it's configured as a star community with our main cluster as center. VPN routing is set to the second option.

0 Kudos

Re: VPN Routing: Route all except for Internet traffic?

Okay. 

Traffic between two communities can be routed with standard means. Since both communities: Google Cloud <-> Main Cluster & Main Cluster <-> Branch Offices are working, the only missing link is routing on the main cluster.  Look into that.