Make specific host use VPN tunnel as the default gateway 

 Español

Assuming Vigor3900 is in the Head Office and Vigor2960 is in the Branch Office, network Administrator created a VPN between the two offices and wants to make specific PC behind Vigor2960 to send all traffics to this VPN tunnel. While other PCs in Branch Office should access the Internet through Vigor2960. The example below will show you how to use the new Route Policy feature to achieve this purpose.

Configurations of Vigor3900 in the Head Office

1. Add a new VPN profile: Go to VPN and Remote Access >> VPN Profiles, click Add and configure Basic Settings:

  1. Enable this profile
  2. Select wan2 for Dial-Out Through
  3. Input Local IP/ Subnet as 10.0.0.0/8
  4. Input Remote Host as Vigor2960's WAN IP
  5. Input Remote IP/ Subnet as Vigor2960's LAN IP subnet
  6. Select 'Main Mode' for IKE Phase1
  7. Input Preshared key
  8. Select 'ESP' for Security Protocol
a screenshot of VPN Basic settings on Vigor3900

2. Configure GRE Settings for the VPN profile

  1. Enable GRE function.
  2. Input Local GRE IP (It should be the same as the Remote GRE IP on the Vigor2960 in the branch office)
  3. Input Remote GRE IP (It should be the same as the Local GRE IP on the Vigor2960 in the branch office)
  4. Apply the settings.
a screenshot of GRE Settings on Vigor3900

3. Create a VPN Load Balance Pool: Go to VPN and Remote Access >> VPN Trunk Management >> Load Balance Pool, then click Add to create a new one.

  1. Input Profile Name.
  2. Click Add to select the VPN profile we just created and give the Weight (Only the VPN profile with GRE setting will be listed here.)
  3. Apply the settings.
a screenshot of Load Balance Pool configuration on Vigor3900

4. Create a VPN Load Balance Rule: Go to VPN and Remote Access >> VPN Trunk Management >> Load Balance Rule, then click Add to create a new one.

  1. Input Profile Name
  2. Select 'ALL' for Protocol
  3. Input Source IP Address
  4. Input Source Mask
  5. Input Destination IP Address
  6. Input Destination Mask
  7. Select the VPN Trunk Load Balance Pool for Load Balance Pool
a screenshot of Load Balance Pool configuration on Vigor3900

NOTE: It is necessary to define which kind of traffic that needs to go through the VPN Trunk tunnel with VPN Load Balance Rule. Otherwise, traffic won't pass to the VPN Trunk tunnel.

Configurations of Vigor2960 in the Branch Office

1. Add a new VPN profile: Go to VPN and Remote Access >> VPN Profiles, click Add and configure Basic Settings:

  1. Check Enable
  2. Enable Auto Dial-Out and select Always Dial-Out
  3. Select wan1 for Dial-Out Through
  4. Input Local IP/ Subnet as 192.168.1.0/ 255.255.255.0
  5. Input Remote Host IP as Vigor3900's WAN2 IP
  6. Input Remote IP/ Subnet as 10.0.0.0/ 255.0.0.0
  7. Select 'Main Mode' for IKE Phase1
  8. Input Preshared key
  9. Select 'ESP' for Security Protocol
a screenshot of the second VPN profile

2. Configure GRE Settings or the VPN profile:

  1. Check Enable to Enable GRE function
  2. Input Local GRE IP (It should be the same as the Remote GRE IP on the Vigor3900 in the head office)
  3. Input Remote GRE IP (It should be the same as the Local GRE IP on the Vigor3900 in the head office)
  4. Apply the settings
a screenshot of the GRE settings of the second VPN profile

3. Create a VPN Load Balance Pool: Go to VPN and Remote Access >> VPN Trunk Management >>Load Balance Pool, then click Add to create a new one.

  1. Input Profile Name
  2. Click Add to select the VPN profile we just created and give the Weight (Only the VPN profile with GRE setting will be listed here.)
  3. Apply the settings
a screenshot of Load Balance setup on Vigor3900

4. Create a VPN Load Balance Rule: Go to VPN and Remote Access >> VPN Trunk Management >> Load Balance Rule, then click Add to create a new one.

  1. Input Profile Name
  2. Select 'ALL' for Protocol
  3. Input Source IP Address
  4. Input Source Mask
  5. Input Destination IP Address
  6. Input Destination Mask
  7. Select the VPN Trunk Load Balance Pool for Load Balance Pool.
a screenshot of Load Balance Rule on Vigor3900

5. After completing the configurations above, the VPN tunnel should be dialed up now. Go to VPN and Remote Access >> Connection Management for checking its status. Furthermore, ping to confirm if a local computer can get ping responses from a remote computer.

a screenshot of connection management page showing the VPN tunnels is up, and ping responses on a command prompt window

6. Create a Policy Rule to force a specific PC to send all the traffics to go through the VPN Trunk Tunnel: Go to Routing >> Policy Route, then click Add to create a new rule.

  1. Input Profile Name
  2. Check Enable
  3. Select 'ALL' for Protocol
  4. Select the Specific IP for Source. In this example, it is IP 192.168.1.10
  5. Select 'ANY' for Destination Type
  6. Select 'VPN Trunk LB Pool' for Out-going Rule
  7. Select the VPN Load Balance Profile for Load Balance Pool.
  8. Select 'NAT' for Mode
  9. Apply the settings.
a screenshot of a Policy Rule configuration

7. Using traceroute command tracert -d to confirm if all the traffics from the specific PC with IP 192.168.1.10 are going through the VPN tunnel. From the traceroute result in the below screenshot, we can see the second node is Vigor3900's LAN IP, and that means the traffic to 8.8.8.8 is sending through the VPN tunnel

a screenshot of tracing route results on a command prompt window

Published On: May 25, 2016 

Was this helpful?     


Related Articles