I know about the crypt.def but I don't understand how I could solve my problem with it. Can I negate the destination IP so that only private IPs are sent through the tunnel? Would something like this work?:

vpn_exclude_dst!={<10.0.0.0,10.255.255.255>}

Maybe you can help.

No

Do you know how to get this working instead? I can't imagine that this is not possible.

It depends on a use case. The easiest way to set up VPN is to use simplified domain based option. I can only guess why you have decided to go for VPN routing instead.

To make things clear I made a quick picture:

Short:

- Our main firewall has many VPN tunnels with other companys etc.

- Our remote offices have one VPN tunnel with our main firewall

- The remote offices have to access the other VPN tunnels through the main firewall

- The remote offices should use the local internet connections

Any idea?

> - The remote offices should use the local internet connections 

It is a standard S2S VPN setup. Use domain based VPN, it will work out of the box. If you need to route Site 1 to Site 2 through the main FW, there is an option under VPN Community / VPN Routing to do that.

 

This is also written in the documentation, look into the admin guides

Hi Valeri,

does you proposal also cover this requirement ?

- The remote offices have to access the other VPN tunnels through the main firewall

If this explanation is correct confused-about-vpn-routing-options (which I believe), then your proposal will only work, if all satellites are in the same VPN community, which is not the case in Macrels setup. Or am I wrong ?

Matthias

That's exactly my questions here. We normally have one community for a company - thats over 20 in total now. I tested again but it's not working. And I can't just put the remote office in the other community.

Hi Marcel,

I believe  it will work only with a combination of Route Based VPN (for your 1430 appliances) and the Domain Based VPNs which I guess you have for your already established VPN Communites.

A mix of both modes on a gateway is possible as per sk109340

But: on a R77.30 Gateway, a Route based VPN would disable CoreXL: CoreXL Known Limitations, an update to R80.x might be an option.

Routed based VPN is supported on a 1430 appliance: Route Based VPN on R77.20.xx Gaia Embedded appliances but it will also disable Core XL.

You would have to test it carefully of course.

Matthias

Hi Matthias,

thanks for your help. That sounds like an option but a pretty complex one...if there is no easy way to achieve this we will route all traffic through our main firewall. It works even if it's not the ideal solution.

Why do you want to route traffic between remote sites through the center? Why don't you just use a simple Mesh community and allow the sites to talk to each other directly?

I don't want to connect the remote offices but everyone has to access other VPN connections that we don't manage. It's not possible to change the whole VPN contruct here.

You over-complicate the issue. What you need is a single Star VPN community with your main cluster as center and remote offices are satellites.  The second option, "to center and other satellites through enter" gives you what you need.

There is one caveat, not related to VPN. Make sure each of satellites has a different internal network IP range OR does unique NAT for internal addresses.

It would be nice if I over-complicate the issue but I don't think so. The main point is:

- The remote offices have to access the other VPN tunnels through the main firewall

Every remote office has to access e.g. the Google Cloud via VPN but the connection has to go through the main firewall. And I cannot build a complete new setup where I only have one community for all VPNs.

Your solution doesn't work because the remote offices wouldn't route traffic for the Google Cloud to the main firewall. I double tested this scenario.

Got it.

How is Google Cloud VPN configured on your main GW? If it is a community, you could enable directional VPN rules in your policy and do something like this:

You need to configure routing on the main GW that would make sure one tunnel cleart ext would go to another.

Did you consider such setup?

Hi Valeri,

thank you for this option I never looked at. It quite nice in some other rules

But the problem still exists on the given setup. The problem is that the remote offices try to send traffic to e.g. the Google Cloud through the internet when the VPN routing isn't set to the third option. And if I do that everything is send through the tunnel.

Maybe I misunderstood you but the problem is still the same. And route based VPN is no option because of CoreXL etc.

Do you have any idea left? Maybe it's something that isn't possible no matter how long we think about it...

Hello, how is Google Cloud VPN configured on your main cluster? Is it a community?

Sorry, it's configured as a star community with our main cluster as center. VPN routing is set to the second option.

Okay. 

Traffic between two communities can be routed with standard means. Since both communities: Google Cloud <-> Main Cluster & Main Cluster <-> Branch Offices are working, the only missing link is routing on the main cluster.  Look into that. 

I too have just hit this exact scenario.

0.  Started with a third party vpn with a center site with encryption domain with ALL networks.  VPN traffic always routed thru center site over MPLS.

1. VPN community1 designed for MPLS backup.   MPLSbackupcommunity works and all site are accessible via remote client thru center site.  VPN option is set to second option.

2.  Internet access goes out local firewall.

3.  Second VPN community to third party.  Third party community works and is accessible via remote remote client thru center site.

So I see two options:

1.  Add all remote sites with firewalls to third party VPN.  Not an easy to implement as third party was already defined with all remote sites.  We do not have the ability to change the remote side of the third party vpn.

2.  Set VPN option to third choice and route all internet AND VPN traffic thru center site.  Bad choice due to the increased load on the internet connection on the center site.

The question remains how to do third option on VPN, but still allow internet access out the remote local firewall.

This is exactly why I specified 0 above.  The third party already knows about all the remote sites and routes them back to the center site over the VPN.  The encryption domain changed from center site networks + all remote site networks, to just center site networks.

Problem is how to get the remote sites to route their traffic to the center site over the vpn without routing internet traffic over the vpn.

We really need a 4th VPN option:

Allow traffic to center, other remote sites, and other VPN sites thru center gateway.