How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator
Zyxel Employee
This is an example of using Dual-WAN to perform fail-over on a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ). Traffic can also pass between spoke-and-spoke through the hub. If the primary WAN interface is unavailable, the backup WAN interface will be used. When the primary WAN interface is available again, traffic will use that interface again.
SETUP/STEP BY STEP PROCEDURE:
Set Up the IPSec VPN Tunnel on the ZyWALL/USG
Hub_HQ-to-Branch_A
1 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway.
Then, configure the Primary Gateway IP as the Branch A’s wan1 IP address (in the example, 172.16.20.1) and Secondary Gateway IP as the Branch A’s wan2IP address (in the example, 172.100.120.1). Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time.
Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key and click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
2 Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway
Click Create new Object to add the address of local network behind Hub_HQ and an address of local network behind Branch A.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object
Set Local Policy to be Hub_HQ and Remote Policy to Branch_A which are newly created. Click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy
Hub_HQ-to-Branch_B
1 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway.
Then, configure the Primary Gateway IP as the Branch B’s wan1 IP address (in the example, 172.16.30.1) and Secondary Gateway IP as the Branch B’s wan2IP address (in the example, 172.100.130.1). Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time.
Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key and click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
2 Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to enable VPN Connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway
Click Create new Object to add an address of local network behind Hub_HQ and an address of local network behind Branch B.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object
Set Local Policy to be Hub_HQ and Remote Policy to Branch_B which are newly created. Click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy
Hub_HQ Concentrator
1 In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule. Select VPN tunnels to the same member group and click Save.
Spoke_Branch_A
1 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway.
Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1). Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time.
Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
2 Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway
Click Create new Object to add the address of local network behind Branch A and an address of local network behind Hub_HQ
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object
Set Local Policy to be Spoke_Branch_A_LOCAL and Remote Policy to Hub_HQ which are newly created. Click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy
3 Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_A to Spoke_Branch_B.
Click Create new Object and set the address to be the local network behind the Spoke_Branch_B. Select Source Address to be the local network behind the Spoke_Branch_A. Then, scroll down the Destination Address list to choose the newly created Spoke_Branch_B_LOCAL address. Click OK.
Network > Routing > Policy Route
Spoke_Branch_B
1 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway.
Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1). Select Fall back to Primary Peer Gateway when possible and set desired Fall Back Check Interval time.
Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway
2 Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway
Click Create new Object to add the address of local network behind Branch B and an address of local network behind Hub_HQ.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object
Set Local Policy to be Spoke_Branch_B_LOCAL and Remote Policy to Hub_HQ which are newly created. Click OK.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Policy
3 Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_B to Spoke_Branch_A.
Click Create new Object and set the address to be the local network behind the Spoke_Branch_A. Select Source Address to be the local network behind the Spoke_Branch_B. Then, scroll down the Destination Address list to choose the newly created Spoke_Branch_A_LOCAL address. Click OK.
Network > Routing > Policy Route
VERIFICATION:
Test the IPSec VPN Tunnel
1 Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection
Spoke_Branch_A > CONFIGURATION > VPN > IPSec VPN > VPN Connection
Spoke_Branch_B > CONFIGURATION > VPN > IPSec VPN > VPN Connection
2 Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity.
Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A
Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_B
Spoke_Branch_B > MONITOR > VPN Monitor > IPSec
Spoke_Branch_A > MONITOR > VPN Monitor > IPSec
What Can Go Wrong?
1 If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
2 If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
3 Make sure the all ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
4 By default, NAT traversal is enabled on ZyWALL/USG, so please make sure the remote IPSec device also has NAT traversal enabled.
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight