IPSec - Different Routes for different clients
-
Hello,
I have 3 sites in 3 different countries, and have an IPSec triangle setup. I am routing only the local networks on each site to allow for local resource access to each network. However, I now have a use case to route 100% of all traffic for specific LAN clients over the IPSec, but only for those clients, while maintaining remote resource access for the other clients. Are there any tips or suggestions on how to accomplish this? I have tried reserving DHCP addresses for specific clients, creating a firewall rule to route all traffic to a new IPSec gateway routing 0.0.0.0, but I have had no luck getting traffic through. Below is a crude picture of what I am trying to do (red is existing and working fine, the blue line is what I want to add). Thanks for the advice!
-
@admiral_ackbar
Which kind of IPSec is it, a routed or policy-based?If it's a routed IPSec you can simply add all concerned clients IP to an alias and policy route them to the remote site.
But if it's a policy-based you will have to segment the local network and move the concerned clients into a desperate subnet. Then you can add an additional phase 2 for it and state 0.0.0.0/0 as remote network.
Consider to configure the additional P 2 also on the other site. -
@viragomann Thank you for the response. I believe it is network based, here is what the config looks like now:
The bottom entry in P2 was my attempt at forcing a single client over the VPN for all traffic which seemed to break all connectivity for the local site. The top and bottom did, however, have an overlapping subnet. If I created a new local subnet scope and put the clients into that scope is that the way to solve the problem?
Thanks for much for the input, I really do appreciate it.
-
@admiral_ackbar
Yes, you can have multiple phase 2 for different local subnets.
I think, that should work with routing the whole upstream traffic for only one subnet.