connecitivity between multiple IP SEC VPN Connections
Freshman Member
I need to provide connectivity over 2 VPN Connections both connecting to a USG 110.
VPN Client network A is connecting to USG110 over IPSEC using USG100.
VPN Client network B is a Host connecting to USG 110 using Zyxel IPSEC VPN Client.
Now iam looking for a best practice guide how to get working network communication between VPN A and VPN B over USG 110. I hope you can help me , thx in advantage and best regards.
VPN Client network A is connecting to USG110 over IPSEC using USG100.
VPN Client network B is a Host connecting to USG 110 using Zyxel IPSEC VPN Client.
Now iam looking for a best practice guide how to get working network communication between VPN A and VPN B over USG 110. I hope you can help me , thx in advantage and best regards.
0
All Replies
-
It's better to have well planning of IP address space for a multi-sites network.
So that can get benefit of Zyxel firewall auto VPN routing.
Here is an example,
An company has multiple sites. Each site allocate 8 /24 IP network. The last /24 network is design for VPN clients.
If the company select 192.168.0.0/16 as the full IP address space of company.
Site A: 192.168.0.0/21 There are 8 /24 network, 192.168.0-7.0/24 and 192.168.7.0/24 is for VPN clients connect to firewall of Site A.
Site B: 192.168.8.0/21 There are 8 /24 network, 192.168.8-15.0/24 and 192.168.15.0/24 is for VPN clients connect to firewall of Site B.
Site C: 192.168.16.0/21 There are 8 /24 network, 192.168.16-23.0/24 and 192.168.23.0/24 is for VPN clients connect to firewall of Site C.
....
Site A as the VPN hub, which all sites will build site-to-site VPN to Site A.
All sites communicate with each other through VPN to the hub - Site A.
Site B to company network(via Site A): local policy-192.168.8.0/21 , remote policy: 192.168.0.0/16
Site C to company network(via Site A): local policy-192.168.16.0/21, remote policy: 192.168.0.0/16
....
There are several type of client VPN that can assign IP address to the VPN clients.- IPSec(IKEv1) with mode-config
- IKEv2 with configuration payload
- L2TP over IPSec
- SSL VPN
Site B: 192.168.7.0/24
Site C: 192.168.15.0/24
....
Then based on the auto VPN routing design of Zyxel firewall.
The routing will check the routing table in this order by default,
Direct route -> Dynamic VPN(VPN clients) > Policy Route > SiteToSite VPN
2
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
