Zyxel Usg 1000 - Trunk / VPN
We have a Zyxel usg 1000. I understand it's old, but it works. We have recently purchased some Flex 200 devices, but not implemented yet.
My question:
We have two internet providers, Comcast and ATT Fiber.
Currently we have a single ipsec vpn configured between the remote office and
the primary office…using the Comcast Wan
How can I create a wan fail over, that will maintain a vpn connection between
the remote office and the home office?
Very much appreciate any assistance.
Regards,
Bret Stern
All Replies
-
FLEX/ATP have WAN trunk to implement WAN failover, and for IPsec also have Secondary peer as backup lines.
But I am not sure if USG1000 have the kind of settings..
0 -
I will try to setup the trunk on the remote office per Zyxel video example. This would cover the
wan fail over. However, I don't understand how the VPN would roll over, and maintain the
same ip subnet. Can multiple ipsec vpn's be configured with the same subnet, I thought no..but need more input.
I have secondary peer. I think that would be on the home office router, not the remote office.
0 -
I think what you would have to do is set Domain name IP to 0.0.0.0 to bind on all interface so when one ISP goes down it uses the other interface with interfaces set to do Connectivity Check if the usg 1000 has that?
0 -
Hey Peter…so in my image, there is a section "My Address"
Are you suggesting the Domain Name / ip be used instead?
I'll look at my manual to see how that option can be used.
0 -
Are you suggesting the Domain Name / ip be used instead?
Yes with 0.0.0.0
0 -
I think I understand.
On the remote office side, I create the trunk, then set the gateway interface to use either Wan port by setting Domain / ip to 0.0.0.0. ( not sure how the vpn stays up) but I'm hoping there is a way.
On the home (data center) side, where all the vpn's point to specific peer remote office ip addresses, would there be any changes there for maintaining a ipsec connection between the remote office described above?
I appreciate the help. Our primary ISP has been solid for years, but outages essentially close our showrooms since our remote terminals and voip phones go dead. I'm hoping if I can get one working, the other ones will be easy. They all have old USG 1000 devices. There are 7
0 -
PeterUK,
This is the advice of the Zyxel help file on my Zyxel USG 1000 with regard to using 0.0.0.0.
"If you select Domain Name / IP,
enter the domain name or the IP address of the ZyWALL. The IP address
of the ZyWALL in the IKE SA is the specified IP address or the IP
address corresponding to the domain name. 0.0.0.0 is not generally
recommended as it has the ZyWALL accept IPSec requests destined for any
interface address on the ZyWALL."While this may be the way to make the redundancy work, I just don't want to expose more than
required.
Thanks
0 -
I think you can add security-policy to only allow your branch public IP with port 500, 4500 , ESP .
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight