Ipsec-vpn to connect remote user to site-to-site vpn

Basics:

I need help in configuring an ipsec-vpn that does the following:

1. allow user to connect remotely to our systems, to
2. access a previously set up site-to-site vpn

Detail:

We have a secure site-to-site vpn setup to allow users on our network to be able to access the services there.

i now need to be able to setup any user to remotely connect to our systems to then connect to the services via the site-to-site vpn connection.

i have created an ipsec vpn and manage to connect to our offices, but i am unable to access the site-to-site service.

​

Current diagram:

in place/working:- our-office ← sitetosite → remote-site-service

needed:- remote-user >-- ipsecvpn → our-office ← sitetosite → remote-site-service

​

​

Any help in pinpointing the settings i need to change to allow our users access would be greatly appreciated.

Create a firewall rule that allows traffic between the VPN interfaces.

- Make sure your P2 traffic selectors on your site-to-site IPsec VPN include your near firewall’s SSL-VPN subnet on both ends, so it will allow that traffic to be routed. Or better yet, modify them to be 0.0.0.0/0.0.0.0 on both ends so it will allow all subnets.

- Make sure your remote firewall has a route through the tunnel back to the SSL-VPN subnet on the near firewall so it will know how to return traffic to those SSL-VPN users.

- Make sure you have a firewall policy on your near end firewall that allows traffic from SSL-VPN → IPsec tunnel, and IPsec tunnel → SSL-VPN. You can use any/any for the traffic… you just need the interfaces

I “think” that’s about it?

Yep. Interface to Interface is key. Even if you just put the ranges in the Phase2 connectors on each side, it won’t work unless there is a policy allowing the interfaces to talk.