This document describes how to link VPN remote sites with DSL remote sites by using routing tags.

  • The main office has NETWORK ID A branch office connects to the main office via a VPN tunnel.
  • For security and administrative reasons, the branch office is to access the Internet access using the main office's Internet access, and this is to be implemented via the VPN tunnel.
  • The branch office has the IP address

  • Initial state at the branch office: Internet access INTERNET and a VPN connection HEADQUARTER have already been configured.
  • Initial state at the main office: Internet access INTERNET and a VPN connection OFFICE have already been configured.

Configuration steps:

Step 1: Configuration at the branch office

Initial state of the routing table:

1) Configure the default route for the remote station HEADQUARTER. IP masquerading is switched off for this entry. The remote site HEADQUARTER is configured as a VPN remote site. This alteration directs all "untagged" traffic intended for the Internet through the VPN tunnel.

2) Configure a second default route that uses the routing tag 1 to the remote station INTERNET. Masking is enabled for this entry. This route is only used for "tagged" packets that are destined for the Internet.

3) After configuration the routing table should look like this:

4) Configuring the connection to the VPN remote site: In the VPN connection list, activate the use of Routing tag 1 for the VPN remote site HEADQUARTER. This gives the VPN session the routing tag 1 so that it uses the connection INTERNET to reach the VPN gateway

Step 2: Configuring the headquarter

The VPN rules at the headquarter have to be set up to allow communication not only within the local network but also to the Internet. This is defined in the firewall configuration at the headquarter by means of a VPN rule.

1) Open the configuration and change to the menu Firewall/QoS.

2) Under Rules you will find a list of the firewall rules. Click on Add....

3) Activate the General tab and enter a name for the VPN rule.

4) Activate the option This rule is used to create VPN rules.

5) Change the action to ACCEPT.

6) The VPN rule is bidirectional. The connection source is set to all stations (i.e. the "Internet"). As a connection destination, the name of the VPN remote site is specified (OFFICE).

7) Save your entries with OK and write the configuration back to the router.

8) As a check, open a Telnet or SSH console and enter the command show vpn. The system displays the enhanced VPN rules.

9) Disconnect the VPN connection at the branch office and let it establish itself again. This concludes the configuration.