Reply
Member
Posts: 121
Registered: ‎02-29-2016
Kudos: 4
Solutions: 6
Accepted Solution

IPsec Site-to-Site VPN: how do I connect to the Router on other site?

Hello everyone,

So I have successfully create a VPN site-to-site between our head office and its branch. We use 2 x ER-6P. They are working properly now.

One more question if I may ask: assuming I am at site A (router ER-A) and I can ping to all devices at site B on the pre-defined subnets EXCEPT the EdgeRouter (ER-B) itself. RIght now, if I want to access the ER-B, I have to connect to its OpenVPN server and start from there. I was thinking it would be conveniet to access the ER-B directly from ER-A, provided that the Site-to-Site VPN has been established between the two?

Am I missing something or what?

Thank you for your support


Accepted Solutions
Emerging Member
Posts: 54
Registered: ‎03-10-2014
Kudos: 9
Solutions: 1

Re: IPsec Site-to-Site VPN: how do I connect to the Router on other site?

This is the way I do it. Add this under WAN_LOCAL. Do note thou that you can't use port 22 or 443 for port forwarding when you do this. Add the approved IP you trust to the address-group or directly as source on the rule.

 

        rule 21 {
            action accept
            description "Allow mgmt"
            destination {
                port 22,443
            }
            log disable
            protocol tcp
            source {
                group {
                    address-group MGMT_HOST
                }
            }
        }

View solution in original post


All Replies
SuperUser
Posts: 7,875
Registered: ‎01-05-2012
Kudos: 2082
Solutions: 1037

Re: IPsec Site-to-Site VPN: how do I connect to the Router on other site?

Did you try to access the remote router from an host (which belongs to the local prefix), and not  from the local router ?

Emerging Member
Posts: 54
Registered: ‎03-10-2014
Kudos: 9
Solutions: 1

Re: IPsec Site-to-Site VPN: how do I connect to the Router on other site?

I ussualy make an firewall opening on WAN_LOCAL for SSH and webgui to the router. Then you can access it even if VPN is down. You can lock it down with source IP filtering in the firewall for safety.

Member
Posts: 121
Registered: ‎02-29-2016
Kudos: 4
Solutions: 6

Re: IPsec Site-to-Site VPN: how do I connect to the Router on other site?

[ Edited ]

@the_slain_man wrote:

I ussualy make an firewall opening on WAN_LOCAL for SSH and webgui to the router. Then you can access it even if VPN is down. You can lock it down with source IP filtering in the firewall for safety.



This is exactly how I would like to do.
Would you mind sharing how to do it?

Thank you

 

Emerging Member
Posts: 54
Registered: ‎03-10-2014
Kudos: 9
Solutions: 1

Re: IPsec Site-to-Site VPN: how do I connect to the Router on other site?

This is the way I do it. Add this under WAN_LOCAL. Do note thou that you can't use port 22 or 443 for port forwarding when you do this. Add the approved IP you trust to the address-group or directly as source on the rule.

 

        rule 21 {
            action accept
            description "Allow mgmt"
            destination {
                port 22,443
            }
            log disable
            protocol tcp
            source {
                group {
                    address-group MGMT_HOST
                }
            }
        }
Highlighted
Veteran Member
Posts: 7,474
Registered: ‎03-24-2016
Kudos: 1933
Solutions: 857

Re: IPsec Site-to-Site VPN: how do I connect to the Router on other site?

Reply