Can't add ipsec with dinamyc peer gw in concentrator

alexey
alexey Posts: 188  Master Member
First Comment Friend Collector Fifth Anniversary
edited April 2021 in Security
Hi all!
We try to use our remote site on USG20W-VPN with 3g USB Modem (site B )
On central site with USG1100 create vpn gw with dinamyc peer, create vpn connection site-to-site with dynamic peer (site A)
But can't add this new vpn to our concentrator with other simple site-to-site connection (sites c, d, etc)
Vpn connetction beetwen Sites A & B estabilished, site B can access to site A, but can't access to sites C, D, etc. Sites C, D, etc can't access to site B too.
Policy routes for access to site B via vpn tunnel creates.
What we can do for access beetwen all sites? 

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @alexey

    I am not sure if I understood well your network architecture.

    Please, let me ask some questions:

    Is site A (USG1100) a vpn hub? 
    If site A is vpn hub, all flows between sites B, C and D go via site A.
    For example, a flow from site B to site C would be as follows:

    Site B -- (vpn to Site A) -- Site A -- (vpn to site C) -- Site C

    Otherwise, is VPN from Site B to site C direct? 

    Regards 


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    In the current design, the tunnels in the VPN concentrator rule must be site-to-site VPN.
    That is, the tunnels created on the hub site should be site-to-site VPN.
    Site to site with dynamic peer is not supported in the concentrator.
    I would like to move the request to the ideas section.
  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi @alexey,
    An alternative is all internal network of all sites in the same address space.
    For example, using the address space 172.16.0.0/16
    - allocate 8 /24 network for central site, like 172.16.0.0/21
    - allocate 4 /24 network for each site, like
      A: 172.16.8.0/22
      B: 172.16.12.0/22
      C: 172.16.16.0/22 
      .....
    On central site,
    (1)Disable "Use Policy Route to control dynamic IPSec rules"
    (2)Configure the local policy of VPN rule for dynamic peer as local: 172.16.0.0/16

    On each remote site,
    Configure site-to-site VPN rule, and local/remote policy as 
    A: local: 172.16.8.0/22, remote: 172.16.0.0/16
    B: local: 172.16.12.0/22, remote: 172.16.0.0/16
    C: local: 172.16.16.0/22, remote: 172.16.0.0/16
    ....

    Then all remote sites can reach central site and other sites through central hub.
  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @Ian31 and @alexey

    Otherwise to solve this issue is creating tunnel (for example tunnel GRE) and IPSEC

    Let's suppose site A as HUP VPN, and site B and C as remote sites.

    Two site-to-site IPSec VPNs:
    Site A <--> Site B
    Site A <--> Site C

    Flows between Site B and C could be done via a tunnel GRE between an interface on device site B to an interface on device A. Both interfaces should be connected via the VPN site-to-site.

    So the flow could be:

    Source: Site B, Destination: Site C. Data: Any kind of Flow.

    On device site B, traffic is encapsulated (GRE), so the flow will be transformed to:
    Source: Site B internal IP address
    Destination: Site A internal IP address
    Data: GRE tunnel. (Source: Site B, Destination: Site C. Data Any kind of Flow)

    Flows From IP Device site B to IP Device Site A, could be done via IPSec. So the flow will be
    Source: Site B external IP Device
    Destination: External Site B IP Device
    IPSEC Encrypted Data: (Source: Site B internal IP address, Destination: Site A internal IP address, Data: GRE tunnel. (Source: Site B, Destination: Site C. Data Any kind of Flow))

    On Site A, IPSEC encrypted data is decrypted, tunnel GRE is finished and a new similar flow could be done from site A to site C (IPSEC VPN and tunnel GRE).

    It looks complex, but it can be done.

    Regards
  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited November 2018
    Alfonso & @alexey,
    Unfortunately, the max. GRE tunnel interfaces is limit to 4.

    https://businessforum.zyxel.com/discussion/comment/5255#Comment_5255
  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    @Zyxel_Emily
    It will great, if this function will be realised in future firmware.
    @Ian31
    Thanks for interesting idea, i will try to test this.
    @Alfonso
    Thanks fo solution, but i don't understand steps :/
    I must create GRE tunnel on site B to site A, and GRE tunnel on site A to site C?
    How policy route will looks, via GRE or Ipsec tunnel?
    Ipsec configuration has option GRE tunnel, it don't help?  



Security Highlight