connecitivity between multiple IP SEC VPN Connections

Bonesai
Bonesai Posts: 5  Freshman Member
First Comment
edited April 2021 in Security
I need to provide connectivity over 2 VPN Connections both connecting to a USG 110.
VPN Client network A is connecting to USG110 over IPSEC using USG100.
VPN Client network B is a Host connecting to USG 110 using Zyxel IPSEC VPN Client.

Now iam looking for a best practice guide how to get working network communication between VPN A and VPN B over USG 110. I hope you can help me , thx in advantage and best regards. 

All Replies

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited January 2019
    It's better to have well planning of IP address space for a multi-sites network.
    So that can get benefit of Zyxel firewall auto VPN routing.

    Here is an example,
    An company has multiple sites. Each site allocate 8 /24 IP network. The last /24 network is design for VPN clients.
    If the company select 192.168.0.0/16 as the full IP address space of company.
    Site A: 192.168.0.0/21 There are 8 /24 network, 192.168.0-7.0/24 and 192.168.7.0/24 is for VPN clients connect to firewall of Site A.
    Site B: 192.168.8.0/21 There are 8 /24 network, 192.168.8-15.0/24 and 192.168.15.0/24 is for VPN clients connect to firewall of Site B.
    Site C: 192.168.16.0/21 There are 8 /24 network, 192.168.16-23.0/24 and 192.168.23.0/24 is for VPN clients connect to firewall of Site C.
    ....

    Site A as the VPN hub, which all sites will build site-to-site VPN to Site A.
    All sites communicate with each other through VPN to the hub - Site A.
    Site B to company network(via Site A): local policy-192.168.8.0/21  , remote policy: 192.168.0.0/16 
    Site C to company network(via Site A): local policy-192.168.16.0/21, remote policy: 192.168.0.0/16
    ....

    There are several type of client VPN that can assign IP address to the VPN clients.
    • IPSec(IKEv1) with mode-config
    • IKEv2 with configuration payload
    • L2TP over IPSec
    • SSL VPN
    You can configure the IP address pool for VPN clients connect to each site,
    Site B: 192.168.7.0/24 
    Site C: 192.168.15.0/24
    ....

    Then based on the auto VPN routing design of Zyxel firewall.
    The routing will check the routing table in this order by default,
    Direct route -> Dynamic VPN(VPN clients) > Policy Route > SiteToSite VPN


Security Highlight