How to Secure Traffic from Networks in Multiple Virtual Routers over a Site-to-Site VPN

On virtual routing-enabled devices, Site-to-Site VPN is supported only on global virtual router interfaces. You cannot configure it on an interface that belongs to a user-defined virtual router. This example provides the procedure that allows you to secure the connections from or to networks hosted within user-defined virtual routers over the site-to-site VPN. You also need to update the site-to-site VPN connection to include the user-defined virtual routing networks.

Let us consider a scenario, where, a site-to-site VPN is configured between a branch office network to a company headquaters network; the threat defense in the branch office having virtual routers. In this case, the site-to-site VPN is defined on the outside interface of the branch office at 172.16.3.1. This VPN includes the inside network 192.168.2.0/24 without extra configuration, because the inside interface is also part of the global virtual router. But, to provide site-to-site VPN services to the 192.168.1.0/24 network, which is part of the VR1 virtual router, you must leak the route by configuring the static routes on global and VR1, and add the VR1 network to the site-to-site VPN configuration.

Virtual routers and S2S network diagram

Before you begin

This example assumes that you have already configured the site-to-site VPN between the 192.168.2.0/24 local network and the 172.16.20.0/24 external network, defined the virtual routers, and configured and assigned the interfaces to the appropriate virtual routers.

Procedure

Step 1

Configure route leak from the Global virtual router to the user-defined VR1:

  1. Choose Devices > Device Management, and edit the threat defense device.

  2. Click Routing. By default, the Global routing properties page appears.

  3. Click Static Route.

  4. Click Add Route. In Add Static Route Configuration, specify the following:

    • Interface—Select the VR1 inside interface.

    • Network—Select the VR1 virtual router network object. You can create one using the Add Object option.

    • Gateway—Leave it blank. When leaking a route into another virtual router, do not select the gateway.

    The route leak allows endpoints protected by the external (remote) end of the site-to-site VPN to access the 192.168.1.0/24 network in the VR1 virtual router.

  5. Click Ok.

Step 2

Configure the route leak from VR1 to the Global virtual router:

  1. Choose Devices > Device Management, and edit the threat defense device.

  2. Click Routing and from the drop-down, select VR1.

  3. Click Static Route.

  4. Click Add Route. In Add Static Route Configuration, specify the following:

    • Interface—Select the outside interface of the global router.

    • Network—Select the global virtual router network object.

    • Gateway—Leave it blank. When leaking a route into another virtual router, do not select the gateway.

    This static route allows endpoints on the 192.168.1.0/24 network (VR1) to initiate connections that will traverse the site-to-site VPN tunnel. For this example, the remote endpoint that is protecting the 172.16.20.0/24 network.

  5. Click Ok.

Step 3

Add the 192.168.1.0/24 network to the site-to-site VPN connection profile:

  1. Choose Devices > VPN > Site To Site, and edit the VPN Topology.

  2. In Endpoints, edit Node A endpoint.

  3. In Edit Endpoint, in the Protected Networks field, click Add New Network Object.

  4. Add the VR1 network object with 192.168.1.0 network:

  5. Click Ok and save the configuration.