How to configure site to site VPN with multiple subnets between ZLD and uOS using route-based?

Zyxel_Kevin
Zyxel_Kevin Posts: 888  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
edited November 13 in VPN

This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer gateway is ZLD device using route-based VPN. And there are multiple subnets can commuicate each other

The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.

Set up IPSec VPN Tunnel for uOS

VPN > IPSec VPN > Site to Site VPN > Configuration > Add to access configuration page

VPN > IPSec VPN > Site to Site VPN > Scenario

Type the VPN name used to identify this VPN connection. Select the type to the Site-to-Site. Click Next.

VPN > IPSec VPN > Site to Site VPN > Scenario > Network

Configure My Address and Peer Gateway Address. Click Next.

VPN > IPSec VPN > Site to Site VPN > Scenario > Network > Authentication

Type a secure Pre-Shared Key. Click Next

VPN > IPSec VPN > Site to Site VPN > Scenario > Network > Authentication > Policy & Routing

Set "Route-Based" Type and define the one Remote Subnet. And change the VTI address as you want.

VPN > IPSec VPN > Site to Site VPN > Scenario > Network > Authentication > Policy & Routing > Summary

The screen provides a summary of the VPN tunnel. You can Edit it if you want to modify.

Object > Address > Address Group

Create an Address Group and add Peer Subnets 192.168.1.0/24 , 192.168.2.0/24

Network > Routing > Policy Route

The static route will be added automatically, We take policy route as an example

Enforce source from 192.168.168.0/24 192.168.169.0/24 to PeerGroup through VTI

Set up IPSec VPN Tunnel for ZLD

VPN > IPSec VPN > VPN Gateway

Select the WAN interface and type the Peer Gateway Address.

Type Pre-shared Key. The default proposal which created by wizard is
“Encryption:AES128, Authentication:SHA1, Key Group:DH2”. Those are the same as uOS.

VPN > IPSec VPN > VPN Connection

Select VPN Gateway as "VPN Tunnel Interface" and select the correct phase1 profile

The default proposal which created by wizard is
“Encryption:AES128, Authentication:SHA1, Key Group:DH2”. Those are the same as uOS.

Network > Interface > VTI

Create VTI interface and assign vpn-rule of route based

Object > Address/Geo IP > Address Group

Create an Address Group and add Peer Subnets 192.168.168.0/24 , 192.168.169.0/24

Network > Routing > Policy Route

Enforce source from 192.168.1.0/24 192.168.2.0/24 to PeerGroup through VTI

Test IPSec VPN Tunnel

Go to VPN Status > IPSec VPN

Verify the IPSec VPN status

Test ping to 192.168.1.0/24 from uOS site

Test ping to 192.168.2.0/24 from uOS site