Multiple subnets with one IPSec VPN?

DobriyDed Posts: 6
First Anniversary First Comment
edited April 2021 in Security
Recently replaced rusty 100mb/s firewall with shiny new USG 60, to be able use new ISP tariff plan with 300 mb/s and still be able to use IPSec tunnels to another site

Scheme is fairly easy, so no drawings, sorry 
Local site - USG 60 - tel subnet - computers subnet
Remote site - Cisco ASA - tel subnet - computers subnet - servers subnet

The deployment scenario from Zyxel KB describes connecting ONE local subnet to ONE remote subnet, but i need to access all remote subnets from my local subnets. Now IPSec working and connecting telephone subnets only.

From previous experience using cisco / dlink firewalls, this is usually achieved by creating groups of objects(subnets) and then using them in VPN parameters, but the Zyxel interface explodes the brain

Could you please direct me in the right direction.  Straight googling leads to nowhere.
Step-by step instruction will be best solution

Would greatly appreciate any help!

Accepted Solution

All Replies

  • zyman2008 said:
    USG doesn't support multiple traffic selectors.
    So you can use route-based VPN(VTI), if ASA OS is 9.7 or above.
    They also enabled IKEv2 from 9.8, that's a good motivation to change version ;-)
    Thanks a lot! 

Security Highlight