Site-to-site USG FLEX500 - Strongswan

Options
Zolik
Zolik Posts: 4
Friend Collector First Comment
edited May 7 in Security

Hi,

we had lot of routers (kerio, unifi, etc..), on each router we had set up IPsec tunnel to our datacenter. In datacenter we have Debian server with Strongswan (it has public IP).
Always I set up on Debian remote and local network and on router remote and local sites too.

Now we bought flex 500 and I need set up the same tunnel.
I have set up strongswan like this:

conn office
authby=secret
left=%defaultroute
leftid=xxxxx
leftsubnet=10.1.4.0/24, 10.8.0.0/23
right=xxxxx
rightsubnet=10.54.0.0/22
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start

On zyxel I have set up remote subnet only 10.1.4.0/24 because I cant add a second remote subnet to VPN connection.
I created policy route like this: (OVPN is subnet 10.8.0.0/22)

But I have connected only 10.1.4.0/24 with 10.54.0.0/22… I can't connect 10.8.0.0/23 to 10.54.0.0/22…

Can you help me please?

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,099  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hello Zolik,

    Could you provide the remote Web-GUI to us for further checking? I will send a private message to you later.

  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Zolik ,

    Zyxel firewall doesn't support multiple subnets in the same IPSec rule.

    You need to setup it in separate VPN connection rules but with same Gateway.

    StrongSwan setting:

    conn office
    authby=secret
    left=%defaultroute
    leftid=xxxxx
    leftsubnet=10.1.4.0/24
    right=xxxxx
    rightsubnet=10.54.0.0/22
    ike=aes256-sha2_256-modp2048!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start conn office-2 also=office leftsubnet=10.8.0.0/23 rightsubnet=10.54.0.0/22

    Zyxel Firewall Setting:

    Create another VPN Connection rule for 10.54.0.0/22 to 10.8.0.0/23 and bind to the same VPN Gateway rule.

  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

Security Highlight