Access VPN remote network with different routes

Security Gateway Discussions
Post Reply
mathiasb
Posts: 4
Joined: 25 Sep 2008, 07:10

Access VPN remote network with different routes

Post by mathiasb » 08 Mar 2017, 07:55

When you add a IPSec VPN the firewall add a route saying that remote network is directly attached to the VPN_interface.

Is it possible to access the remote network both through the VPN but also with a different route depending on the source ip's?

Aron
Posts: 19
Joined: 09 Dec 2011, 22:39
Location: Clavister HQ - Örnsköldsvik

Re: Access VPN remote network with different routes

Post by Aron » 10 Mar 2017, 16:55

Yes, you can set up an additional routing table with a different route to the destination, and using a PBR-rule (Policy Based Routing rule) to direct traffic into that routing table instead, based on what source ip/range/subnet the traffic is coming from.

Har-Ben
Posts: 33
Joined: 08 Dec 2016, 07:59

Re: Access VPN remote network with different routes

Post by Har-Ben » 05 May 2017, 14:42

anajames wrote:Yes, that is pretty much doable.

Please care to elaborate. I did not get it fully.

Har-Ben
Posts: 33
Joined: 08 Dec 2016, 07:59

Re: Access VPN remote network with different routes

Post by Har-Ben » 25 May 2017, 09:37

anajames wrote:The post above me is quite clear about it.

In English I meant :lol:

Did not mean to offend you.

Har-Ben
Posts: 33
Joined: 08 Dec 2016, 07:59

Re: Access VPN remote network with different routes

Post by Har-Ben » 15 Jun 2017, 15:06

anajames wrote:Ok, i just realized now, my apologizes. May be i was not in my senses when you asked.
What do you mean by that? Are you okay?

Har-Ben
Posts: 33
Joined: 08 Dec 2016, 07:59

Re: Access VPN remote network with different routes

Post by Har-Ben » 15 Jun 2017, 15:09

anajames wrote:Oh yes definitely i am, was just not in good health the other day. Much better now.

Alright

Peter
Posts: 659
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Access VPN remote network with different routes

Post by Peter » 23 Aug 2018, 16:42

A very basic example on how this can be accomplished.

Lets say we have the following setup:
(192.168.1.0/24) Site-A---Internet---Site-B (192.168.10.0/24)
(192.168.2.0/24)   |                    |
               Router-------------------|
(hopefully my ASCII art looks ok)

We have a situation where we can reach the network 192.168.10.0/24 from Site-A to B through either a VPN tunnel or through the router. What we want to do is to configure the system so that if you come from an IP in the 192.168.1.0/24 range you use the VPN tunnel, and if you come from an IP in the 192.168.2.0/24 range you will use the router. This can be accomplished using Policy-based routing on the Site-A firewall.

Site-A:

<Main routing table>
Route Lan 192.168.1.0/24
Route Lan 192.168.2.0/24
Route Wan all-nets Gateway=GW-World
Route IPsecTunnel 192.168.10.0/24

If we only have the above, it means that access to 192.168.10.0/24 will ONLY go through the IPsec tunnel. So we want to do an "override" for this. There are several ways of configuring this but i'll use a method of using ONLY on the routing table and have some routes exist in both routing tables.

First i create a new routing table i call PBR1 with ordering ONLY. In this routing table i place the following routines:

<PBR1>
Route Lan 192.168.2.0/24
Route Dmz 10.10.10.0/24
Route Dmz 192.168.10.0/24 Gateway=10.10.10.50 (the router)

Then i create a Policy based routing rule that looks like this:

ForwardTable=PBR1
ReturnTable=PBR1
SourceInterface=Lan
SourceNetwork=192.168.2.0/24
DestinationInterface=IPsecTunnel
DestinationNetwork=192.168.10.0/24
Service=All_Services

What the above means is that we "intercept" traffic in the <main> routing table that initiated from the 192.168.2.0/24 network and destined to go to 192.168.10.0/24 towards the IPsec tunnel and "redirects" it into the other routing table, where 192.168.10.0/24 is routed behind the router instead of the tunnel.

The reason why the destination interface is the IPsec tunnel on the PBR rule is because PBR rules is to be based on the route lookup in the <main> routing table. Then we tell the PBR rule where to send the traffic using the Forward and Return tables. Since we are using ordering ONLY on the PBR table, we need to add a route to the source network (192.168.2.0/24), otherwise the return traffic would not know where the source host is.

Phew, so much for "basic" example i guess :mrgreen:

Best regards
/Peter

Shawn22
Posts: 3
Joined: 17 Sep 2018, 09:50

Re: Access VPN remote network with different routes

Post by Shawn22 » 17 Sep 2018, 09:54

Thanks For great Explanation Peter

sammartin8935
Posts: 1
Joined: 20 Aug 2018, 16:23

Re: Access VPN remote network with different routes

Post by sammartin8935 » 24 Apr 2019, 13:34

that was very well elaborated. Thanks for sharing.

VPN For Mac

Post Reply