Secure traffic from networks in multiple virtual routers over a site-to-site VPN

This task allows you to secure connections from or to networks hosted within user-defined virtual routers over the site-to-site VPN by configuring route leaking between virtual routers and updating the VPN connection profile.

On virtual routing-enabled devices, Site-to-Site VPN is supported only on global virtual router interfaces. You cannot configure it on an interface that belongs to a user-defined virtual router. This procedure allows you to secure the connections from or to networks hosted within user-defined virtual routers over the site-to-site VPN. You also need to update the site-to-site VPN connection to include the user-defined virtual routing networks.

Let us consider a scenario, where, a site-to-site VPN is configured between a branch office network to a company headquaters network; the Firewall Threat Defense in the branch office having virtual routers. In this case, the site-to-site VPN is defined on the outside interface of the branch office at 172.16.3.1. This VPN includes the inside network 192.168.2.0/24 without extra configuration, because the inside interface is also part of the global virtual router. But, to provide site-to-site VPN services to the 192.168.1.0/24 network, which is part of the VR1 virtual router, you must leak the route by configuring the static routes on global and VR1, and add the VR1 network to the site-to-site VPN configuration.

Virtual routers and S2S network diagram

Before you begin

This example assumes that you have already configured the site-to-site VPN between the 192.168.2.0/24 local network and the 172.16.20.0/24 external network, defined the virtual routers, and configured and assigned the interfaces to the appropriate virtual routers.

Follow these steps to secure traffic from networks in multiple virtual routers over a site-to-site VPN:

Procedure

Step 1

Configure route leak from the Global virtual router to the user-defined VR1:

  1. Choose Devices > Device Management, and edit the Firewall Threat Defense device.

  2. Click Routing. By default, the Global routing properties page appears.

  3. Click Static Route.

  4. Click Add Route. In Add Static Route Configuration, specify the following:

    • Interface—Select the VR1 inside interface.

    • Network—Select the VR1 virtual router network object. You can create one using the Add Object option.

    • Gateway—Leave it blank. When leaking a route into another virtual router, do not select the gateway.

      The diagram illustrates the configuration steps for securing traffic from multiple virtual routers over a site-to-site VPN, highlighting the selection of the VR1 inside interface and the VR1 virtual router network object.

    The route leak allows endpoints protected by the external (remote) end of the site-to-site VPN to access the 192.168.1.0/24 network in the VR1 virtual router.

  5. Click Ok.

Step 2

Configure the route leak from VR1 to the Global virtual router:

  1. Choose Devices > Device Management, and edit the Firewall Threat Defense device.

  2. Click Routing and from the drop-down, select VR1.

  3. Click Static Route.

  4. Click Add Route. In Add Static Route Configuration, specify the following:

    • Interface—Select the outside interface of the global router.

    • Network—Select the global virtual router network object.

    • Gateway—Leave it blank. When leaking a route into another virtual router, do not select the gateway.

      The diagram illustrates the configuration of a site-to-site VPN, showing how traffic from the 192.168.1.0/24 network can securely traverse the VPN tunnel to reach the 172.16.20.0/24 network through multiple virtual routers.

    This static route allows endpoints on the 192.168.1.0/24 network (VR1) to initiate connections that will traverse the site-to-site VPN tunnel. For this example, the remote endpoint that is protecting the 172.16.20.0/24 network.

  5. Click Ok.

Step 3

Add the 192.168.1.0/24 network to the site-to-site VPN connection profile:

  1. Choose Secure Connections > Site-to-Site VPN & SD-WAN, and edit the VPN Topology.

  2. In Endpoints, edit Node A endpoint.

  3. In Edit Endpoint, in the Protected Networks field, click Add New Network Object.

  4. Add the VR1 network object with 192.168.1.0 network:

    The route leaking configuration illustrates how traffic from user-defined virtual routers can securely traverse a site-to-site VPN tunnel, facilitating connectivity between the VR1 network and remote networks.

  5. Click Ok and save the configuration.

The route leaking configuration allows traffic from networks in user-defined virtual routers to traverse the site-to-site VPN tunnel securely, enabling connectivity between the VR1 network and remote networks protected by the VPN.