VPN solution required

EB91 · December 2018

Good morning @all from Germany,

I have a question regarding a VPN solution for my companies zyxel USG110.

Our server (W2012R2) and the first USG110 are located in city "A". The second USG110 is located in city "B".

I am the administrator of both firewalls and the server, my office is located in city "B". Now I have to find a solution for a VPN connection from my home to my company (the reason is "home office"). I just want to make sure that I made everything correct and set the required settings in a right way before I am at home and try to connect my companies network.

These are the things I have done:

1. Created a new VPN gateway and a user for this one with name and personal password.

- enabled the gateway, its activated

- IKEv1

- for "My address", I choose "lan1". lan1 is configured with the ip adress of the USG110 in city "B".

Is it correct or should I set a "Domain name /IPv4"?

- Dynamic address

- a PSK is set

- there are two more advanced options for "local ID type" and "Peer ID Type", I am able to select "IPv4, DNS or e-mail". What should be the correct setting?

2. Created a new VPN Connection

- enabled it, its activated

- Remote Access (Server Role)

- chosen VPN gateway: The one from above. Unfortunately, it displays me "lan1 0.0.0.0, 0.0.0.0"

I think it is not correct, isnt it?

- what should I chosse from the dropdown menu at "local policy"? Should I create a new one or should I set an excisting option?

I am very grateful for every answer which can help me in this case.

Thanks and regards,

EB

Zyxel_Emily · December 2018

Hi @EB91,

In Local ID Type and Peer ID Type are used to identify the Zyxel Device during authentication.

IP - the Zyxel Device is identified by an IP address

DNS - the Zyxel Device is identified by a domain name

E-mail - the Zyxel Device is identified by the string specified in this field

Set Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.

If you use wizard to configure VPN tunnel between two USG110, the Peer ID Type is the Peer Gateway Address.

You can also choose DNS or E-mail as Peer ID Type in both VPN gateways and make them match with each other.

FritzBox (home office) -> Location B -> USG110 -> VPN tunnel -> USG110 -> location A (office where the server is located)

In your scenario, if the user at home office establishes VPN to Location B, you can create policy rules on both USG110 to allow the user at home office to access servers in location A.

If Home User using L2TP VPN to connect to Location B,

Location B

Incoming: Tunnel, L2TP_VPN_tunnel

Destination: subnet in Location A (Server’s in Location A)

Next-Hop: site to site VPN tunnel between two USG110

Location A

Source: subnet of Location A (Server’s in Location A)

Destination: L2TP subnet in location B

Next-Hop: site to site VPN tunnel between two USG110

Image: https://us.v-cdn.net/6029482/uploads/editor/18/mno8ticdzc1d.jpg

If Home User using SSL VPN to connect to Location B, please see the FAQ article.

How do I allow SecuExtender clients to access servers in the remote site/company through VPN tunnel?

EB91 · December 2018

Additional information, sorry for that:

Every change I did was made at City "B" USG110.

Ian31 · December 2018

So both USG110 is locate at office in different location ?
Any VPN connected between USG110 now ?
What's the VPN client on your home ?
Which office you want to connect to ?

EB91 · December 2018

Thanks for you answer!

- correct, a USG110 in location A and the other one in location B (both in germany)

- between these two firewalls is an excisting vpn connection to each other, thats all

- i dont have any vpn client yet at home, at first i want to make sure that anything is set correct.

I want to connect to location A where our server and NAS is located but I dont know if it is enough to connect to my office (Location B ) or wether it is neccesary to create a vpn at location A as well.

Configuration at the moment:

Location B (my office) -> USG110 -> VPN tunnel -> USG110 -> location A (office where the server ist located).

Future:

FritzBox (home office) -> Location B -> USG110 -> VPN tunnel -> USG110 -> location A (office where the server ist located).

Zyxel_Emily · December 2018

Hi @EB91,

In Local ID Type and Peer ID Type are used to identify the Zyxel Device during authentication.

IP - the Zyxel Device is identified by an IP address

DNS - the Zyxel Device is identified by a domain name

E-mail - the Zyxel Device is identified by the string specified in this field

Set Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.

If you use wizard to configure VPN tunnel between two USG110, the Peer ID Type is the Peer Gateway Address.

You can also choose DNS or E-mail as Peer ID Type in both VPN gateways and make them match with each other.

FritzBox (home office) -> Location B -> USG110 -> VPN tunnel -> USG110 -> location A (office where the server is located)

In your scenario, if the user at home office establishes VPN to Location B, you can create policy rules on both USG110 to allow the user at home office to access servers in location A.

If Home User using L2TP VPN to connect to Location B,

Location B

Incoming: Tunnel, L2TP_VPN_tunnel

Destination: subnet in Location A (Server’s in Location A)

Next-Hop: site to site VPN tunnel between two USG110

Location A

Source: subnet of Location A (Server’s in Location A)

Destination: L2TP subnet in location B

Next-Hop: site to site VPN tunnel between two USG110

If Home User using SSL VPN to connect to Location B, please see the FAQ article.

How do I allow SecuExtender clients to access servers in the remote site/company through VPN tunnel?

EB91 · December 2018

Zyxel_Emily,

thanks for the reply and the information! You helped me a lot, I will check everything with my colleague!

VPN solution required

Accepted Solution

All Replies

Categories

Security Help Center