Only 4 tunnel interfaces possible

Line2
Line2 Posts: 40
First Answer First Comment Friend Collector First Anniversary
 Freshman Member
edited April 2021 in Security
Is there a technical reason why only 4 tunnel interfaces are possible on USG/ZyWALLs? For GRE/IPSec more would be helpful.

Accepted Solution

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,174
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
     Zyxel Employee
    Hi @Line2,

    There is no technical reason for the specification about  the current supported tunnel interface number.
    The new IPSec virtual tunnel interface(VTI) is introduced since firmware 4.20, so we suggest you use VTI interface instead of Tunnel interface.
    Compared to GRE with extra GRE header overhead, it is better to use VTI instead of GRE over IPSec. 
    If you still think it is necessary to increase the number of Tunnel interface, please feel free to let us know and we will evaluate the enhancement on this feature.
    image.png

    Click this link to start: https://bit.ly/3R2Wx52
    Emily

  • Line2
    Line2 Posts: 40
    First Answer First Comment Friend Collector First Anniversary
     Freshman Member

    I know VTI, I set up a lot of VTI/IPSec, between ZyWALLs only, I use most of time VTI and OSPF for dynamic routing. I know the overhead of GRE (24bytes). But there are different restrictions where you can't use VTI (3.party firewalls without VTI or no VTI with dynamic IPs there, general antipathy for VTI at a lot of firewall admins because of leak difficulty...).
    Thats the same reason why I made a feature request to support OSPF on GRE interfaces. By the way a loopback interface on ZyWALLs would be handy for such things too ;-)

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,174
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
     Zyxel Employee

    Hi @Line2,


    Thanks for your suggestion.

    I would like to move your request to the ideas section.

    image.png

    Click this link to start: https://bit.ly/3R2Wx52
    Emily

  • Line2
    Line2 Posts: 40
    First Answer First Comment Friend Collector First Anniversary
     Freshman Member
    ok, if it helps :-)
  • Line2
    Line2 Posts: 40
    First Answer First Comment Friend Collector First Anniversary
     Freshman Member
    thank you
  • Kade
    Kade Posts: 8
    First Comment Second Anniversary
    One feature that I would like to add is to have the ability to encrypt the GRE tunnel with IPsec to make it secure for routing packet between site.
  • Zyxel_Vic
    Zyxel_Vic Posts: 276
    5 Answers First Comment Friend Collector Sixth Anniversary
     Zyxel Employee
    Hi @Kade
    I added your request into the idea post Emily created, too. 

    Here the idea post.

    Untitled Image

    Click this link to start: https://bit.ly/3R2Wx52

  • alexey
    alexey Posts: 188
    First Comment Friend Collector Fifth Anniversary
     Master Member

    Hi.

    We want to start using GRE over ipsec on our sites with old USG1000, that don't support VTI for autodisables routes, and 4 GREs are too small for ours needs.

    Will you realize more GRE in the future and will beta FW availble for test?

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,296
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Zyxel Employee

    USG1000 does not support GRE over IPSec.

    You can consider for USG1100 or VPN300 which support GRE over IPSec function.

    3.png


Categories

Security Highlight


Read more

Security Help Center

  • FAQ
  • New & Release
  • Monthly Express
  • Threat Intelligence
  • Video Tutorials
    • EnglishTiếng ViệtРусскийไทย中文(台灣)