Zyxel Usg 1000 - Trunk / VPN

Options
mm_bret
mm_bret Posts: 58  Ally Member
First Anniversary 10 Comments

We have a Zyxel usg 1000. I understand it's old, but it works. We have recently purchased some Flex 200 devices, but not implemented yet.

My question:

We have two internet providers, Comcast and ATT Fiber.

Currently we have a single ipsec vpn configured between the remote office and

the primary office…using the Comcast Wan

How can I create a wan fail over, that will maintain a vpn connection between

the remote office and the home office?

Very much appreciate any assistance.

Regards,

Bret Stern

All Replies

  • WJS
    WJS Posts: 145  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    FLEX/ATP have WAN trunk to implement WAN failover, and for IPsec also have Secondary peer as backup lines.

    But I am not sure if USG1000 have the kind of settings..

  • mm_bret
    mm_bret Posts: 58  Ally Member
    First Anniversary 10 Comments
    Options

    I will try to setup the trunk on the remote office per Zyxel video example. This would cover the

    wan fail over. However, I don't understand how the VPN would roll over, and maintain the

    same ip subnet. Can multiple ipsec vpn's be configured with the same subnet, I thought no..but need more input.

    I have secondary peer. I think that would be on the home office router, not the remote office.

  • PeterUK
    PeterUK Posts: 2,877  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I think what you would have to do is set Domain name IP to 0.0.0.0 to bind on all interface so when one ISP goes down it uses the other interface with interfaces set to do Connectivity Check if the usg 1000 has that?

  • mm_bret
    mm_bret Posts: 58  Ally Member
    First Anniversary 10 Comments
    Options

    Hey Peter…so in my image, there is a section "My Address"

    Are you suggesting the Domain Name / ip be used instead?

    I'll look at my manual to see how that option can be used.

  • PeterUK
    PeterUK Posts: 2,877  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Are you suggesting the Domain Name / ip be used instead?

    Yes with 0.0.0.0

  • mm_bret
    mm_bret Posts: 58  Ally Member
    First Anniversary 10 Comments
    Options

    I think I understand.

    On the remote office side, I create the trunk, then set the gateway interface to use either Wan port by setting Domain / ip to 0.0.0.0. ( not sure how the vpn stays up) but I'm hoping there is a way.

    On the home (data center) side, where all the vpn's point to specific peer remote office ip addresses, would there be any changes there for maintaining a ipsec connection between the remote office described above?

    I appreciate the help. Our primary ISP has been solid for years, but outages essentially close our showrooms since our remote terminals and voip phones go dead. I'm hoping if I can get one working, the other ones will be easy. They all have old USG 1000 devices. There are 7

  • mm_bret
    mm_bret Posts: 58  Ally Member
    First Anniversary 10 Comments
    Options

    PeterUK,

    This is the advice of the Zyxel help file on my Zyxel USG 1000 with regard to using 0.0.0.0.

    "If you select Domain Name / IP,
    enter the domain name or the IP address of the ZyWALL. The IP address
    of the ZyWALL in the IKE SA is the specified IP address or the IP
    address corresponding to the domain name. 0.0.0.0 is not generally
    recommended as it has the ZyWALL accept IPSec requests destined for any
    interface address on the ZyWALL."

    While this may be the way to make the redundancy work, I just don't want to expose more than

    required.

    Thanks

  • WJS
    WJS Posts: 145  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I think you can add security-policy to only allow your branch public IP with port 500, 4500 , ESP .

Security Highlight