IPSec routing between 3 sites
Posted on 2011-10-17
Hi, I'm trying to setup routing and dnat/snat through a couple of IPSec vpn sites.
The setup today is as follows:
Site A <- IPSec VPN -> Site B <- IPSec VPN -> Site C
Site A 192.168.1.0/24
Site B 10.243.0.0/16
Site C 10.0.0.0/8
Site A = Zyxel Zywall USG-1000 latest fw
Site B = Zyxel Zywall USG-200 latest fw
Site C = Juniper SRX100 unknown fw
Local policy for the IPSec tunnls are:
A <-> B
192.168.1.0/24 <-> 10.0.0.0/8
B <-> C
10.243.0.0/16 <-> 10.0.0.0/8
There is unfortunately no possibility to establish a VPN-link between site A and C.
All vpn-links works fine as of today, no problems to access resources both ways from Site A <-> B and Site B <-> C.
What I want to do is to be able to access Site A from C and site C from A.
This is where the tricky part comes in, Site A's IP-range 192.168.1.0/24 is already in use at Site C and cannot easily be changed, I know this would be the best solution but as of today it cannot be done.
Also a VPN-link between Site A and C cannot be established as of today.So I have to use some kind of NAT policy for SIte A's subnet when it tries to access Site C and let the traffic pass through Site B.
I was thinking to do SNAT/DNAT per host, for example:
Host at Site A 192.168.1.31 <- IPSec VPN with DNAT/SNAT/NAT to 10.243.201.31 -> Site B <- IPSec VPN -> Site C
I have got the traffic coming through from Site A host 192.168.1.31 to Site B, I used DNAT and SNAT for this and at Site B it shows up as 10.243.201.31 so I got it working so far. But here it ends, I cannot get the traffic from 10.243.201.31 to pass on to Site C.
I have tried using policy routes at Site B to route traffic from 10.243.201.0/24 to Site C and the other way around but without success. I have already spent many hours trying all different sorts of routes, policies, NAT, SNAT, DNAT but now I have run out of ideas.
I haven't been able to find any examples for this type of setup, yes Google is normally my best friend, but not this time...
Has anyone done this kind of setup before and maybe have some good information or pointers about how to set this up?
What is the best practice or recomended setup for this kind of infrastructure?
I hope what I wrote will make sense, I have done many point to point VPN-connections before with routing etc, but never a setup like this one.
Thanks in advice,
Tired System administrator