Help needed with Policy Route for VPN after configuring USG210 at HQ with a failover.

elkrust Posts: 22  Freshman Member
edited April 2021 in Security
I have a HQ with a Zyxel USG 210 and a branch office with a Zyxel USG 20W. I have a VPN tunnel configured between them and the VPN was working fine. I then configured a failover at HQ exactly as per these instructions :
After which the failover at HQ works fine but the VPN from the branch office no longer works. I have narrowed the problem down to the new Policy Route for the failover because as soon as I disable this policy the VPN passes traffic again.
I would be grateful if someone could give me an idea of how to modify the Policy Route to account for the VPN as well as the failover.

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 880  Zyxel Employee

    Hi @elkrust,


    Is the following the goal to achieve?

    USG210(HQ) has 2 wan interfaces and USG20W(branch) has 1 wan interface.

    And you'd like to make the VPN connection failover to wan2 once the wan1 connection is down.


    Please share the topology and scenario with us if the scenario above is not the goal you'd like to achieve.

  • elkrust
    elkrust Posts: 22  Freshman Member
    Thanks for replying.
    Correct USG210(HQ) has 2 wan interfaces and USG20W(branch) has 1 wan interface. I am not too fussed about maintaining the VPN connection if the WAN1 fails at HQ on the USG210. It is more important that HQ remains up once it drops back to WAN2.
    My problem is that even when both interfaces are up at HQ and the failover configured via the Route Policy mentioned in the guide, the VPN connection breaks.
    I hope this helps describe the problem further.
  • Zyxel_Emily
    Zyxel_Emily Posts: 880  Zyxel Employee

    I'm not sure if you're using ZyWALL USG 20W or USG20W-VPN at the branch site.
    Attached document is the configuration guide to setup VPN failover between USG210 and ZyWALL USG 20W.

    If you're using USG20W-VPN at the branch site, you can also follow the steps in the FAQ topic and configure two VTI tunnels and a VTI trunk including two VTI interfaces.

Security Highlight