redundant VPN connection (concentrator?)

Options
AdminSys
AdminSys Posts: 39 image  Freshman Member
First Comment Eighth Anniversary
in USG FLEX H Series

We have a customer with a Zyxel Flex500 and two WAN connections in our part. There is another site with one internet connection. We would like to set up the VPN connection to work redundantly on our part, if the primary WAN connection is lost, it will automatically work on the second one. Is there a description for this? Unfortunately I couldn't find it.

All Replies

  • PeterUK
    PeterUK Posts: 4,228 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    So on the site with two WAN you want to setup the VPN gateway with setting My Address Domain Name / IPv4 to 0.0.0.0 then on the remote site setup for Peer Gateway Address with primary and secondary with fall back.

  • AdminSys
    AdminSys Posts: 39 image  Freshman Member
    First Comment Eighth Anniversary

    Unfortunately, this isn’t working.
    ChatGPT says that there’s an “Enable backup Gateway” option in the VPN gateway settings, but I can’t find it.

  • PeterUK
    PeterUK Posts: 4,228 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited October 14

    Are you using Nebula or standalone?

    Should just be a case of this on the site with two WAN IP

    Screenshot 2025-10-14 152208.png

    and the other site

    Screenshot 2025-10-14 152450.png
  • General99
    General99 Posts: 4 image  Freshman Member
    First Comment

    By the way USG FLEX 100HP does not have this feature. Peer Gateway address only has one input field. Is this a limitation and FLEX 100HP does not support failover vpn?

  • General99
    General99 Posts: 4 image  Freshman Member
    First Comment

    Как настроить failover vpn, если есть USG Flex 100HP с одной стороны и USG ATP200 с другой стороны? Оба используют по два провайдера. USG Flex 100HP нет поля для ввода второго Peer Gateway.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,134 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited October 16

    Hi @AdminSys @General99

    For H series route-based VPN, you will need to: (2X2 & 1X2 scenario)

    1. Create the site-to-site VPN for each interface first. image.png image.png
    2. Navigate to Network > Interface > Trunk page to create a new trunk profile for the VTI interface. One is active and another is passive. image.png

    This will make the VPN traffic pass only one VTI interface only, and failover when the primary down.

    For H series policy-based VPN (1X2 scenario), the method is like what PeterUK mentioned, but it requires firmware support. Additionally, the next firmware, V1.36, will support this scenario for policy-based VPN.

    Untitled Image
    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 4,134 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Update:

    Firmware V1.36 has been released.

    4. [Enhancement] Support secondary peer gateway for VPN failover and fallback.

    https://community.zyxel.com/en/discussion/30935/usg-flex-h-series-v1-36-patch-0-firmware-release
    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)