V. VPN (Virtual Private Networking)

When to use "Multiple Phase2 SA for VPN Tunnel with Multiple Subnets" option

Products:
Vigor 2620Ln
Vigor 2762
Vigor 2765
Vigor 2832
Show all

Keywords:
Additional Subnets
IKE
IPSec SA
IPSec Security Association
Show all

Accessing Multiple Subets Across a VPN Tunnel

When setting up a VPN tunnel that connects two sites together, you may find  a requirement that enables multiple subnets at either end to communicate across the VPN tunnel. The setting to achieve this in found in the VPN profile under section 5, here you find a button labelled More. Enter the remote subnet that will also use this VPN tunnel to reach that Network. If the two sites are both using DrayTek routers, then no further setting is required.

Example Setup

In the example above Site 1 and Site 2 are connected by a VPN tunnel. There are two subnets on Site 2 (192.168.1.x and 192.168.2.x) which Site 1 needs to access. With a standard LAN-to-LAN VPN the Remote Nework IP field would define the subnet that can be reached through the VPN tunnel. To permit Site 1 to access to the second subnet on Site 2 the VPN profile needs additional information added so that the Site 1 router is informed that the 192.168.2.x subnet can be reached via the VPN tunnel. The More button allows additional subnets to be defined and by adding 192.168.2.0 / 255.255.255.0 in More. This informs the Site 1 router that the VPN tunnel can be used to access the 192.168.2.0 / 255.255.255.0 subnet.

VPN Profile Setup

To add access through the VPN for the second subnet, select the More and add the details of the second subnet. The "Create Phase 2 SA for each subnet does not need to be ticked unless one of the site is non-DrayTek router which requires any traffic to exactly match the IPSEC security association. If the device (eg a Cisco) requires traffic to match the security assocation then a Phase 2 SA must be created for each subnet. In this case, enable the Create Phase2 SA for each subnet.(IPsec) option.

If Create Phase2 SA for each subnet.(IPsec) is unticked then [Connection Management] will show one VPN tunnel for the link and more subnets will be listed in the routing table. If the Create Phase2 SA for each subnet.(IPsec) is ticked then each subnet will appear in [Connection Management] with the same profile name.

To check the connection information, select VPN and Remote Access >> Connection Management

How do you rate this article?

1 1 1 1 1 1 1 1 1 1