IPSec VPN With Dynamic Connection

I have a USG310 at my company office. It has two local networks (10.0.0.0/24 and 10.0.10.0/24) for my company servers. I have a remote workers with USG20-VPN devices at their house. One worker with a static home IP address and connected via site-to-site IPSec has no issues. However, another worker with a Site-to-site with Dynamic Peer does not work fully.

The Dynamic Peer can connected to the 10.0.0.0/24 network as that is defined in the VPN Connection Policy. They cannot reach the 10.0.10.0/24 network however even though there is a Policy Route. Nor can the either of the home workers see each other's computers.

If I make the Dynamic Peer a site-to-site, everything works. Things seem to break down with the Dynamic Peer concept.  The "Use Policy Route to control dynamic IPSec rules" is checked on the company office and remote location configurations as well.

I tried to use DDNS so I could use site-to-site but the home office network is behind their home network so the DDNS WAN address is not the public address.

Is there a particular way to get the dynamic IPSec to route to the secondary networks. My only working solution at this time is to use site-to-site and change the IP address manually in my DNS when the remote worker's ISP changes his address since DDNS is not working well.

All Replies

  • mMontana
    mMontana Posts: 1,093
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    edited August 2021
    On client and server side you should have two VPNs and ONE gateway.
    A VPN for every subnet.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,102
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Guru Member
    edited August 2021

    Welcome to Zyxel community.  :)
    You can create 2nd VPN phase 2 for subnet  10.0.10.0/24.
    Feel free to post any inquires if you encounter any issues.
  • mMontana
    mMontana Posts: 1,093
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    @peakvista any news?
  • I gave something a try but it did not seem to connect. However, I think I had something wrong in a policy. I will be testing again tonight. If setting up the second phase 2 for the other subnet does not work, then I will go with site-to-site instead of site-to-site with dynamic peer and have an easy way to get DNS entries changed when remote workers IP addresses change.
  • mMontana
    mMontana Posts: 1,093
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    Polices could allow (or not) traffic among subnets, but should not interfere with the tunnel establish.
    Moreover, security policies can trigger log entries, if configured accordingly.

    I'm curious to know if you will solve the issue  :)
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,102
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Guru Member
    edited September 2021
    Hi @peakvista,
    Can you see 2nd subnet routing show in MAINTENANCE > Packet flow Explore > routing status > Site to Site VPN?

  • I am not sure at this time. I am going to drop this issue for the time being and just use site-to-site instead of site-to-dynamic on the central router. As I have some other tasks to attend to and I was able to work around things, I will close this issue and come back to it in a few weeks and take note of these items.

Security Highlight