connecitivity between multiple IP SEC VPN Connections

Bonesai Posts: 5
First Comment
edited April 2021 in Security
I need to provide connectivity over 2 VPN Connections both connecting to a USG 110.
VPN Client network A is connecting to USG110 over IPSEC using USG100.
VPN Client network B is a Host connecting to USG 110 using Zyxel IPSEC VPN Client.

Now iam looking for a best practice guide how to get working network communication between VPN A and VPN B over USG 110. I hope you can help me , thx in advantage and best regards. 

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2019
    It's better to have well planning of IP address space for a multi-sites network.
    So that can get benefit of Zyxel firewall auto VPN routing.

    Here is an example,
    An company has multiple sites. Each site allocate 8 /24 IP network. The last /24 network is design for VPN clients.
    If the company select as the full IP address space of company.
    Site A: There are 8 /24 network, 192.168.0-7.0/24 and is for VPN clients connect to firewall of Site A.
    Site B: There are 8 /24 network, 192.168.8-15.0/24 and is for VPN clients connect to firewall of Site B.
    Site C: There are 8 /24 network, 192.168.16-23.0/24 and is for VPN clients connect to firewall of Site C.

    Site A as the VPN hub, which all sites will build site-to-site VPN to Site A.
    All sites communicate with each other through VPN to the hub - Site A.
    Site B to company network(via Site A): local policy-  , remote policy: 
    Site C to company network(via Site A): local policy-, remote policy:

    There are several type of client VPN that can assign IP address to the VPN clients.
    • IPSec(IKEv1) with mode-config
    • IKEv2 with configuration payload
    • L2TP over IPSec
    • SSL VPN
    You can configure the IP address pool for VPN clients connect to each site,
    Site B: 
    Site C:

    Then based on the auto VPN routing design of Zyxel firewall.
    The routing will check the routing table in this order by default,
    Direct route -> Dynamic VPN(VPN clients) > Policy Route > SiteToSite VPN

Security Highlight