Multiple IKEv2 gateways in parallel

StefanZ

What I want to do:

• Have multiple IKEv2 gateways running in parallel named #1 and #2.
• Have multiple users with the same credentials sign into #1 to access one subnet
• Have one admin sign into #2 and access another subnet

Since using a IKEv2 certificate gateway fixes the servers' Local-ID-Type and Local-ID-Content to the certificates' Subject, you are left with only the Peer-ID to distinguish between requests to all gateways.

With only one gateway, I can set Peer-ID to “any” and then enter a unique sting for each client to have multiple clients connect to the gateway at the same time, receive a unique IP in the correct subnet and all is good.

When I add a second gateway, the Zyxel device (FLEX200) fails to distinguish between gateways when both gateways are using the same FQDN/DDNS hostname. So I made the second gateway use another FQDN/DDNS – which of cause resolves to the same WAN IP, but still gives a unique Local-ID-Content. At least so I thought…

Turns out, that the client still gets connected to the gateway with first precedence – deactivating that one will result in the second one working correctly.

Setting an email als Peer-ID on both gateways solves that, but also disconnects any user on a gateway, as soon as a second user connects to it, because the gateway has no way of distinguishing between users anymore.

The Peer-ID setting in the device only allows "any" or fixed values – no wildcards. Being able to enter *@myserver.com for example would be swell.

My further ideas to get what I need:

• Use a second WAN-IP – in fact this device will at some point be deployed with 4 static IPs on WAN1 and 1 or 2 static IPs on WAN2, so that will "auto-solve" my problem. But that's quite a luxurious position to be in, many folks have to cope with only one IP. That's also what i have to work with for now.
• Make gateway #2 take precendence over #1 and only accept one specific Peer-ID. Other requests should be handed down to the next gateway – which then accepts "any" as Peer-ID and thereby allows for multiple users. Doing that in the GUI is not possible, the only way is to edit/sort the startup-config. Or create the gateways in the required order and then hope this ordern never gets messed up.
• Use only one gateway and handle the admin user differently from regular users. I was hoping for a different subnet/zone/vlan as landing point and therby avoid having to configure Security Policies for that…

I really wonder, why the different Hostname / Local-ID doesn't work as expected. After all it has to match the cert?

Any ideas / input are welcome!

Zyxel_Kevin

Hi @StefanZ ,

Greeting Forum, I tested the scenario. It works.

Please kindly refer the following settings:

1)Create two Phase1 VPN gateway. For local ID use the same certificate. For Peer ID use different DNS to identify.

(Phase1 profile: test1)

(Phase1 profile: test2)

2)Create two phase2 profile for them.

3) Change VPN client “local ID” to determine what profile would be connected

If local ID is “p1.com” , profile “test1_p2” is selected

If local ID is “p2.com” , profile “test2_p2” is selected

If there still have issue, please share your config files by private message. Thank you

Kevin

StefanZ

Yes sure, that works, BUT…

I cannot have multiple connections to neither of the two gateways, because all users would share the same Local-ID and user #2 would terminate user #1 when connecting.

What I don't understand: If my gateways have different FQDNs/DDNS and use that as their Local-ID, wouldn't that play into the selection of the gateway too? Or does the FLEX200 just see the request-IP at this stage (which would be the same for both FQDNs) and thus cannot differentiate?

Zyxel_Kevin

Hi @StefanZ ,

All vpn profiles share the same Local-ID and VPN client set individual local ID (p1.com, p2.com) , When user2 connected user1 didn't terminate. It works at same time.

1)To reach the inqurirement, please set different Peer ID for individual profiles.

2)Peer ID / Local ID are just for identify, It doesn't matter if the value not the same as WAN address. The point is the valure must match with VPN client.

[profile1]

FW: Local ID: 1.1.1.1 , Peer ID: p1.com

Client: Local ID: p1.com , Peer ID: 1.1.1.1

[profile2]

FW: Local ID: 1.1.1.1 , Peer ID: p2.com

Client: Local ID: p2.com , Peer ID: 1.1.1.1

Thank you