How to Configure Secure WiFi to Secure the Wireless Environment?

Zyxel_Stanley Posts: 1,366  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited June 2022 in Other Topics

In a Secure WiFi, AP acts as a VPN Client and establish the IPsec tunnel to Gateway then the traffic of tunnel mode SSID can be protected by IPsec VPN. This approach provides data encryption for teleworker’s traffic (GRE over IPsec VPN) without any settings on user end device. The example instructs how to set up Secure WiFi on AP controller to encrypt the traffic from station in remote site to enterprise network.

Secure WiFi supported models:

AP Controller (with ZLD5.00): ATP Series, USG Series

Access Point (with WLAN 6.20): WAX650S / WAX610D / WAX510D / WAC500 / WAC500H 

The capability of Remote AP can be checked at: Monitor > Wireless > AP Information > AP List > Show Advanced Settings.

Note: To protect the Security Gateway from overloading due to handle to much tunnel traffic, only 25% of managed APs can be configured as Remote AP.

Set up Secure WiFi on AP controller

There’re two stages when deploy the Secure WiFi on AP managed by AP Controller and status is online.

Stage one, finish the configuration inside enterprise network.

l Configure AP role as Remote AP and SSID setting

l Update the Controller IP as the USG’s WAN IP

Stage two, remote users power up the AP, and then the IP Sec tunnel will be established automatically.

l Power up remote APs at remote side


Configure AP role as Remote AP and SSID setting

Secure WiFi is per AP setting at Configuration > Wireless > AP Management > Mgmt. AP List > Specific AP.

Enable the AP Role to Remote AP. The maximum of Secure Tunnel SSIDs is up to four. Then define which interface the traffic will be tunneled to, and where to transmit the traffic at.

NOTE: Secure Tunnel can be only applied to SSID, Ethernet traffic from clients connecting to AP’s LAN port won’t be tunneled back to Controller.


Update the Controller IP as the USG’s WAN IP

Besides setting the SSID also need to override the Controller’s IP address on AP to let it connect back to HQ’s Gateway after booting up in remote site. If Gateway supports dual WAN, add another WAN IP in the “secondary controller” column. FQDN is also an available input option for dynamic WAN IP, but requires corresponding DNS settings.

Assign Gateway’s WAN IP as AP’s Controller IP at: Configuration > Wireless > AP Management > AP Policy

Firewall Policy Rule that is for CAPWAP connection and Remote AP VPN IP Address Pool that is a new subnet ( for Remote AP VPN Client use will be auto-added when Remote AP is enabled.

On remote AP, Storm Control is automatically activated in order to avoid huge broadcast traffic flooding from wireless part to Gateway and to other Remote APs. Both Wireless and Ethernet Storm Control will be auto-enabled on Remote AP.

Power up remote APs at remote side

Remote users power up the AP, and then the IP Sec tunnel will be established automatically.



Test the Result

After Remote AP boots up in the remote site, AP will automatically establish the IPSec VPN connection with HQ. AP and tunnel information displays on the Web GUI at: Monitor > VPN Monitor > Remote AP VPN > Remote AP VPN

What can go wrong

1.   Configure all the corresponding setting on interface before you connect the link.

2.   Maximum Remote AP number is limited by Device’s capability of “Max. Concurrent IPsec Tunnel” and 25% of Maximum managed AP number.

3.   Secure WiFi requires specific license on AP.

You check license status at: Configuration > Licensing > Registration > Service

Click Activate to use the Secure WiFi feature. Click Buy, a new webpage will redirect to the Zyxel Marketplace for purchasing the license.

When license expired, VPN connection from Remote AP will be closed, Secure Tunnel SSID on remote AP will be disabled and will auto-recovery after a new license activated.