Multiple IKEv2 gateways in parallel

Options
StefanZ
StefanZ Posts: 191  Master Member
First Anniversary 10 Comments Friend Collector First Answer
edited March 2023 in Security

What I want to do:

  • Have multiple IKEv2 gateways running in parallel named #1 and #2.
  • Have multiple users with the same credentials sign into #1 to access one subnet
  • Have one admin sign into #2 and access another subnet

Since using a IKEv2 certificate gateway fixes the servers' Local-ID-Type and Local-ID-Content to the certificates' Subject, you are left with only the Peer-ID to distinguish between requests to all gateways.

With only one gateway, I can set Peer-ID to “any” and then enter a unique sting for each client to have multiple clients connect to the gateway at the same time, receive a unique IP in the correct subnet and all is good.

When I add a second gateway, the Zyxel device (FLEX200) fails to distinguish between gateways when both gateways are using the same FQDN/DDNS hostname. So I made the second gateway use another FQDN/DDNS – which of cause resolves to the same WAN IP, but still gives a unique Local-ID-Content. At least so I thought…

Turns out, that the client still gets connected to the gateway with first precedence – deactivating that one will result in the second one working correctly.

Setting an email als Peer-ID on both gateways solves that, but also disconnects any user on a gateway, as soon as a second user connects to it, because the gateway has no way of distinguishing between users anymore.

The Peer-ID setting in the device only allows "any" or fixed values – no wildcards. Being able to enter *@myserver.com for example would be swell.

My further ideas to get what I need:

  • Use a second WAN-IP – in fact this device will at some point be deployed with 4 static IPs on WAN1 and 1 or 2 static IPs on WAN2, so that will "auto-solve" my problem. But that's quite a luxurious position to be in, many folks have to cope with only one IP. That's also what i have to work with for now.
  • Make gateway #2 take precendence over #1 and only accept one specific Peer-ID. Other requests should be handed down to the next gateway – which then accepts "any" as Peer-ID and thereby allows for multiple users. Doing that in the GUI is not possible, the only way is to edit/sort the startup-config. Or create the gateways in the required order and then hope this ordern never gets messed up.
  • Use only one gateway and handle the admin user differently from regular users. I was hoping for a different subnet/zone/vlan as landing point and therby avoid having to configure Security Policies for that…

I really wonder, why the different Hostname / Local-ID doesn't work as expected. After all it has to match the cert?

Any ideas / input are welcome!

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 797  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @StefanZ ,

    Greeting Forum, I tested the scenario. It works.

    Please kindly refer the following settings:

    1)Create two Phase1 VPN gateway. For local ID use the same certificate. For Peer ID use different DNS to identify.

    (Phase1 profile: test1)

    (Phase1 profile: test2)

    2)Create two phase2 profile for them.

    3) Change VPN client “local ID” to determine what profile would be connected

    If local ID is “p1.com” , profile “test1_p2” is selected

    If local ID is “p2.com” , profile “test2_p2” is selected

    If there still have issue, please share your config files by private message. Thank you

    Kevin

  • StefanZ
    StefanZ Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Yes sure, that works, BUT…

    I cannot have multiple connections to neither of the two gateways, because all users would share the same Local-ID and user #2 would terminate user #1 when connecting.

    What I don't understand: If my gateways have different FQDNs/DDNS and use that as their Local-ID, wouldn't that play into the selection of the gateway too? Or does the FLEX200 just see the request-IP at this stage (which would be the same for both FQDNs) and thus cannot differentiate?

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 797  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @StefanZ ,

    All vpn profiles share the same Local-ID and VPN client set individual local ID (p1.com, p2.com) , When user2 connected user1 didn't terminate. It works at same time.

    1)To reach the inqurirement, please set different Peer ID for individual profiles.

    2)Peer ID / Local ID are just for identify, It doesn't matter if the value not the same as WAN address. The point is the valure must match with VPN client.

    [profile1]

    FW: Local ID: 1.1.1.1 , Peer ID: p1.com

    Client: Local ID: p1.com , Peer ID: 1.1.1.1

    [profile2]

    FW: Local ID: 1.1.1.1 , Peer ID: p2.com

    Client: Local ID: p2.com , Peer ID: 1.1.1.1

    Thank you

Security Highlight