Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrey_Gl
Explorer

VPN Exlude network (VSX r80.40)

Hello. We need your advice:
There is vpn community s2s where 10.0.0.0/8 is our domain and 192.168.0.0/16 is remote peer's domain. There also remote access on this gateway and users get ip from 10.10.10.0/24 network. We have server 192.168.15.10 and it's available locally. Other users connect to this host through another gateway (without vpn) . This host is specified on remote peer but it's not working now and we need requests from 10.10.10.0/24 go to local network but s2s vpn. As i understand for traffic to get to vpn tunnel src ip must get in domain behind our gateway and dst ip get in remote peer domain. This i made exceptions group in our domain: network 10.0.0.0/8 (except 10.10.10.0/24) but it doesn't work

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

So you have 192.168.15.10 in use locally as well as via the remote peer's domain?
VPN Routing is probably going to route that across to the S2S VPN unless you can exclude that IP from the remote peer's domain.
You might be able to do this with just the RemoteAccess encryption domain.

0 Kudos
Andrey_Gl
Explorer

Hello!

Tnank you for your response.
1) so to get inito the tunnel dest ip is significant? and the fact that src is not in our domain of this community doesnt matter?
2) i didnt understand that sentence - if i remove address  192.168.15.10 from remoteaccess then traffic won't flow to the gateway. i need traffic to flow to gateway to the local network but not to s2s

0 Kudos
PhoneBoy
Admin
Admin

The fundamental issue is you are using the same IP on both ends of your S2S VPN.
The best way to fix it is to ensure only unique IPs are used on both ends of the VPN.

The gateway can only route an IP to one location.
Right now, the encryption domain for your S2S VPN includes that IP and VPN Routing takes precedence over any OS routes.
Short of changing the IP that is being accessed by your Remote Access clients, you will need to remove that IP from the S2S VPN Encryption Domain and include that IP in your Remote Access encryption domain.

0 Kudos