Hi Untangle Forum Denizens,

I have been working on using the IPSec VPN app, and have had a fair amount of success with it.

I have several branch offices that I have been using Cisco 891 ISR with VTIs to connect back to the main office, using IPSec to tunnel over varied ISP connections back to an 891 at the main office.

I also have an extremely old VPN concentrator that is starting to show instability, and I am doing R&D on a solution to replace it, one that can do both site-to-site VPN tunnels as well as VPN to remote workstation endpoints.

I have used split tunneling in the past for the workstation clients, but my site-to-site solutions need to tunnel everything back to main office.

I have been reading other posts in the forum, and some have implied that it is not possible to tunnel ALL traffic through a VPN connection. Most of these posts are relevant to OpenVPN rather than IPSec VPN. In my readings, I did not see a definitive declaration that there is no way to do this with IPSec VPN.

Here is a sample network diagram of a site-to-site setup:
Screen Shot 2016-03-18 at 4.09.09 PM.png

Even if I did not want to tunnel everything, you can see from the diagram that the main office network core has several subnets that need to be accessed by the users at the remote sites.

Looking at the settings in the IPSec VPN, there is no way that I can see to specify more than one network in the "Local Network" setting. I tried to put in more than one CIDR subnet using spaces, commas, semicolons, but the field validation did not like this.

I got creative and thought I would use the CIDR for "everything": 0.0.0.0/0. The setting was not rejected, but I get this error when I click on the IPSec VPN settings:
Screen Shot 2016-03-18 at 4.11.03 PM.png
which tells me that the configuration validation does not expect the settings I supplied. But it did give me the ability to reach more than one subnet. :-)

The error is not fatal, it still works in spite of it.

I would like to know if there is another way, as I do not want to give UT a configuration that throws an error everytime a sysadmin goes to make a change in the IPSec VPN app.

The other part of the equation is that I want to use UT to terminate the tunnel, and then pass the traffic from these remote LANs on into the main office core, without NAT or any other filtering. In short, the UT is merely the vehicle by which the remote users can enter the network. The UT server I am using is in place for guest access to the network, rather than the main internet filter/anti-x device for the internal users. The traffic needs to tunnel in and be passed into the internal core, where it either goes into the rest of the main office LAN and back to the users, or through the main office core, internet filter/proxy, and then NAT'ed if it is destined for the web. The UT only NATs my guest users.

As I describe my setup in this post, the only way I could get the setup to work was to NAT everything that was not destined for the main office LAN. I tried the "bypass IPSEC" option in the IPSec VPN configuration options, but that did not appear to have any effect.

I hope this is a clear enough explanation of what I am hoping to accomplish, at least clear enough to get some folks' input on if this is possible, or if I am asking more of the IPSec VPN app than is currently possible.

Thank you for reading and for any thoughts you have on my configuration.