FLEX 100 H - policy route and next hop

weite
weite Posts: 22  Freshman Member
First Comment Seventh Anniversary
edited December 2023 in USG FLEX H Series

On my old USGs I could select the vpn tunnel as the next hop. On the flex 100 h I have no option under the policy routes. I created to site to site vpn tunnel, but no option. Is there something new that I don't know or understand?

Thanks for the help!!

Accepted Solution

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓

    Hi @weite,

    Thanks for your feedback.

    It is confirmed in our roadmap, we will support it in near future.

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    It has not been added yet

  • weite
    weite Posts: 22  Freshman Member
    First Comment Seventh Anniversary

    That's a problem, but I will survive it. I hope that it will added soon.

    Thanks for the fast answer!

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓

    Hi @weite,

    Thanks for your feedback.

    It is confirmed in our roadmap, we will support it in near future.

  • weite
    weite Posts: 22  Freshman Member
    First Comment Seventh Anniversary

    We like to upgrade our other old firewalls and now need policy routing. Is there a publication date of the new fimrware version?

  • TBI
    TBI Posts: 2  Freshman Member
    First Comment

    Any information about the future availability of the feature ? Because it is still not available.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi all,

    The latest firmware supports the Next hop to the VTI interface for route-based VPN. The next hop to a VPN tunnel, which is a policy-based VPN, is in our roadmap. If we have any ETA, I will update this post.

    Zyxel Melen


  • weite
    weite Posts: 22  Freshman Member
    First Comment Seventh Anniversary
    edited November 25

    1 year and still no change. It was already promised for May and October, but unfortunately nothing. Is there any new information here? What tells the roadmap?

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @weite,

    I apologize for the delayed reply.

    May I know why you still need the "next hop to a VPN tunnel" even though the latest firmware supports "the Next hop to the VTI interface for route-based VPN"?

    Could you share your topology and scenario so we can help check if it can be built using a route-based VPN and the Next hop to the VTI interface?

    Zyxel Melen


  • weite
    weite Posts: 22  Freshman Member
    First Comment Seventh Anniversary

    Ok, tell me how can I add a VTI?
    I see the VTI under interface → network → advanced settings but there is no add button. Is there a other way to add them? I'm confused.

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    The setup for VTI vs how H models do to non H are different but here is a short setup

    VPN client IKEv2 192.168.144.0/24 > Zywall 110 > VTI 192.168.138.13/28 > FLEX200H VTI 192.168.138.12/28 > LAN 192.168.138.1/28 to 192.168.138.2 DNS server

    On FLEX200H you go to VPN > IPSec VPN > add

    IKEv1 with custom select Route-Based
    VTI Setting
    Local IP 192.168.138.12
    Subnet Mask 255.255.255.240

    Route Setting add 192.168.144.0/24 this will add a static route for any IP for that subnet to go down the subnet.