Can't add ipsec with dinamyc peer gw in concentrator
Hi all!
We try to use our remote site on USG20W-VPN with 3g USB Modem (site B )
On central site with USG1100 create vpn gw with dinamyc peer, create vpn connection site-to-site with dynamic peer (site A)
But can't add this new vpn to our concentrator with other simple site-to-site connection (sites c, d, etc)
Vpn connetction beetwen Sites A & B estabilished, site B can access to site A, but can't access to sites C, D, etc. Sites C, D, etc can't access to site B too.
Policy routes for access to site B via vpn tunnel creates.
What we can do for access beetwen all sites?
We try to use our remote site on USG20W-VPN with 3g USB Modem (site B )
On central site with USG1100 create vpn gw with dinamyc peer, create vpn connection site-to-site with dynamic peer (site A)
But can't add this new vpn to our concentrator with other simple site-to-site connection (sites c, d, etc)
Vpn connetction beetwen Sites A & B estabilished, site B can access to site A, but can't access to sites C, D, etc. Sites C, D, etc can't access to site B too.
Policy routes for access to site B via vpn tunnel creates.
What we can do for access beetwen all sites?
0
All Replies
-
Hi @alexey
I am not sure if I understood well your network architecture.
Please, let me ask some questions:
Is site A (USG1100) a vpn hub?
If site A is vpn hub, all flows between sites B, C and D go via site A.
For example, a flow from site B to site C would be as follows:
Site B -- (vpn to Site A) -- Site A -- (vpn to site C) -- Site C
Otherwise, is VPN from Site B to site C direct?
Regards
0 -
Hi @alexey,In the current design, the tunnels in the VPN concentrator rule must be site-to-site VPN.That is, the tunnels created on the hub site should be site-to-site VPN.Site to site with dynamic peer is not supported in the concentrator.I would like to move the request to the ideas section.0
-
Hi @alexey,
An alternative is all internal network of all sites in the same address space.
For example, using the address space 172.16.0.0/16
- allocate 8 /24 network for central site, like 172.16.0.0/21
- allocate 4 /24 network for each site, like
A: 172.16.8.0/22
B: 172.16.12.0/22
C: 172.16.16.0/22
.....
On central site,
(1)Disable "Use Policy Route to control dynamic IPSec rules"
(2)Configure the local policy of VPN rule for dynamic peer as local: 172.16.0.0/16
On each remote site,
Configure site-to-site VPN rule, and local/remote policy as
A: local: 172.16.8.0/22, remote: 172.16.0.0/16
B: local: 172.16.12.0/22, remote: 172.16.0.0/16
C: local: 172.16.16.0/22, remote: 172.16.0.0/16
....
Then all remote sites can reach central site and other sites through central hub.0 -
Hi @Ian31 and @alexey
Otherwise to solve this issue is creating tunnel (for example tunnel GRE) and IPSEC
Let's suppose site A as HUP VPN, and site B and C as remote sites.
Two site-to-site IPSec VPNs:
Site A <--> Site B
Site A <--> Site C
Flows between Site B and C could be done via a tunnel GRE between an interface on device site B to an interface on device A. Both interfaces should be connected via the VPN site-to-site.
So the flow could be:
Source: Site B, Destination: Site C. Data: Any kind of Flow.
On device site B, traffic is encapsulated (GRE), so the flow will be transformed to:
Source: Site B internal IP address
Destination: Site A internal IP address
Data: GRE tunnel. (Source: Site B, Destination: Site C. Data Any kind of Flow)
Flows From IP Device site B to IP Device Site A, could be done via IPSec. So the flow will be
Source: Site B external IP Device
Destination: External Site B IP Device
IPSEC Encrypted Data: (Source: Site B internal IP address, Destination: Site A internal IP address, Data: GRE tunnel. (Source: Site B, Destination: Site C. Data Any kind of Flow))
On Site A, IPSEC encrypted data is decrypted, tunnel GRE is finished and a new similar flow could be done from site A to site C (IPSEC VPN and tunnel GRE).
It looks complex, but it can be done.
Regards0 -
Alfonso & @alexey,
Unfortunately, the max. GRE tunnel interfaces is limit to 4.
https://businessforum.zyxel.com/discussion/comment/5255#Comment_5255
0 -
@Zyxel_Emily
It will great, if this function will be realised in future firmware.
@Ian31
Thanks for interesting idea, i will try to test this.
@Alfonso
Thanks fo solution, but i don't understand steps
I must create GRE tunnel on site B to site A, and GRE tunnel on site A to site C?
How policy route will looks, via GRE or Ipsec tunnel?
Ipsec configuration has option GRE tunnel, it don't help?
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight