Creating a New Separate "RYO/user" Zone for specific IKE Tunnels?
Ally Member
Hi fellow avid Zyxel USG users, any clues on the following are most graciously accepted..
Question??:
Would like to add a customised Zone that contains only specific IKEv2 and IKEv1 client-site connections for the purposes of administering very explicit Policy Routes as a "logical Group" - as a name "MY_own_Zone_Tunnel_Group"
Currently one must maintain a bunch of very explicit Policy Route maintained for every IPSEC connection.
Use Example:
I have two Client-Site VPN active connections as and associated IPSEC gateways as
- 01-L2TP-IKEV1_client_connection ... and
- 02_IKEV2_client_connection
I would like to have a user zone called "MY_own_Zone_Tunnel_Group" that contains only these two connections so that I can have a single set of Policy routes for both.
and... Yes these both are currently working 100% ok.
Below are the items in the system zone called TUNNEL on this lab USG40.
Router# show zone TUNNEL No. Type Member =============================================================================== 1 interface tunnel1 2 tunnel 01-L2TP-IKEV1_client_connection 3 tunnel ios-test_L2TP_cert_V1_CONN 4 tunnel 02_IKEV1_client_connection Router#
I'd like to have 2 & 4 in another zone of my choosing called "MY_own_Zone_Tunnel_Group" that I could access as
Such a Policy Route might be: for MY_own_Zone_Tunnel_Group
index: 18 active: yes auto-disable: no description: lab3_L2TP_004_SUBNET_to_LAN1_subnet user: any schedule: none interface: none tunnel: MY_own_Zone_Tunnel_Group <<=============== example! sslvpn: none source: lab3_L2TP_004_SUBNET destination: LAN1_SUBNET DSCP code: any service: any srcport: any nexthop type: Auto nexthop: auto nexthop state: Not support auto destination: no SNAT: none DSCP marking: preserve connectivity-check: no Router#
Status:
Cant get such a configuration when using the cli "zone" command or the WEB UI (User Add+) there doesn't seem to be a way of configuring a user zone that doesn't not contain USG predefined interfaces.
Any clues, comments or alternatives or wisdom ?
Many Thanks
warwick
Hong Kong
Comments
-
Hi @warwickt
Do you mean to create a specific zone and can select each VPN connection into it?
And the zone can be selected in policy route settings?
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
Hi Zyxel_Jerry . Yes .. this is what I would like to do if you know how.
Thanks for the reply.
Regards
warwick
Hong Kong
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
