IPSec VPN With Dynamic Connection
I have a USG310 at my company office. It has two local networks (10.0.0.0/24 and 10.0.10.0/24) for my company servers. I have a remote workers with USG20-VPN devices at their house. One worker with a static home IP address and connected via site-to-site IPSec has no issues. However, another worker with a Site-to-site with Dynamic Peer does not work fully.
The Dynamic Peer can connected to the 10.0.0.0/24 network as that is defined in the VPN Connection Policy. They cannot reach the 10.0.10.0/24 network however even though there is a Policy Route. Nor can the either of the home workers see each other's computers.
If I make the Dynamic Peer a site-to-site, everything works. Things seem to break down with the Dynamic Peer concept. The "Use Policy Route to control dynamic IPSec rules" is checked on the company office and remote location configurations as well.
I tried to use DDNS so I could use site-to-site but the home office network is behind their home network so the DDNS WAN address is not the public address.
Is there a particular way to get the dynamic IPSec to route to the secondary networks. My only working solution at this time is to use site-to-site and change the IP address manually in my DNS when the remote worker's ISP changes his address since DDNS is not working well.
0
All Replies
-
On client and server side you should have two VPNs and ONE gateway.A VPN for every subnet.1
-
Hi @peakvista,Welcome to Zyxel community.
You can create 2nd VPN phase 2 for subnet 10.0.10.0/24.
Feel free to post any inquires if you encounter any issues.0 -
@peakvista any news?
0 -
I gave something a try but it did not seem to connect. However, I think I had something wrong in a policy. I will be testing again tonight. If setting up the second phase 2 for the other subnet does not work, then I will go with site-to-site instead of site-to-site with dynamic peer and have an easy way to get DNS entries changed when remote workers IP addresses change.
0 -
Polices could allow (or not) traffic among subnets, but should not interfere with the tunnel establish.Moreover, security policies can trigger log entries, if configured accordingly.I'm curious to know if you will solve the issue1
-
Hi @peakvista,
Can you see 2nd subnet routing show in MAINTENANCE > Packet flow Explore > routing status > Site to Site VPN?
0 -
I am not sure at this time. I am going to drop this issue for the time being and just use site-to-site instead of site-to-dynamic on the central router. As I have some other tasks to attend to and I was able to work around things, I will close this issue and come back to it in a few weeks and take note of these items.
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 155 Nebula Ideas
- 105 Nebula Status and Incidents
- 5.9K Security
- 320 USG FLEX H Series
- 286 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 256 Service & License
- 398 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 78 Security Highlight
