Policy based VPN from two different zones to two locations with same subnet (!)



  • Hi!

    This is probably not possible, but I have to ask…

    I have a SSG550M and a SSG-20 with a route based VPN between. Several subnets in that tunnel.

    Now we need to establish a tunnel to another site, where they have the same subnet as is in use on the SSG-20. Like this:

    SSG-20 (192.168.1.0/24) <-----> SSG-550 (multiple networks) <------> SSG-140 (192.168.1.0/24)

    The subnet behind the SSG-20 will never need to reach the network behind the SSG-140, and vice versa. The subnets the SSG-20 and SSG-140 will use on the SSG-550 is in different zones, and the SSG-140 will only need access to one subnet.

    Is it possible to keep my existing route based vpn to the SSG-20, and create a policy based vpn to the SSG-140? Since that zone will not need access to the SSG-20 network (and vice versa).

    I guess it’s not possible (but it would be so nice!) But I guess it will work if I put the zone that the SSG-140 will need access to in a new virtual router? But it will be messy anyway…

    Thanks for any replies!

    Regards,
    Stian



  • Thanks for your reply 🙂 Yeah… It was solved by natting in the other end, thankfully. So I will have to wait untill later to find out wether a different VR would have helped 🙂



  • The problem here is that SSG-550 needs to route packets to one and the same 192.168.1.0/24 but which are in two different locations. I don’t think any policy based tunnel helps here because the routing principle will remain the same - packets need to go somewhere. And if they go, then they go in one certain place, not in two different places.

    Another virtual router may be possibility, although I haven’t tried that in this situation.
    Another way to it is to start NATting the “new” 192.168.1.0/24 behind something else, eg. 192.168.2.0/24. So if devices behind SSG-550 want to reach 192.168.1.0/24 in SSG-140, then they actually must use the addresses with the beginning 192.168.2 instead of 192.168.1. It may be complicated, though. But there is an example in the documentation (involves policies with both nat-src and nat-dst).


 

54
Online

38.5k
Users

12.7k
Topics

44.5k
Posts