Creating a New Separate "RYO/user" Zone for specific IKE Tunnels?

warwickt
warwickt Posts: 111  Ally Member
5 Answers First Comment Friend Collector Third Anniversary
edited April 2021 in Security

Hi fellow avid Zyxel USG users, any clues on the following are most graciously accepted..

Question??:

Would like to add a customised Zone that contains only specific IKEv2 and IKEv1 client-site connections for the purposes of administering very explicit Policy Routes as a "logical Group" - as a name "MY_own_Zone_Tunnel_Group"

Currently one must maintain a bunch of very explicit Policy Route maintained for every IPSEC connection.

Use Example:

I have two Client-Site VPN active connections as and associated IPSEC gateways as

  • 01-L2TP-IKEV1_client_connection ... and
  • 02_IKEV2_client_connection

I would like to have a user zone called "MY_own_Zone_Tunnel_Group" that contains only these two connections so that I can have a single set of Policy routes for both.

and... Yes these both are currently working 100% ok.

Below are the items in the system zone called TUNNEL on this lab USG40.

Router# show zone TUNNEL
No. Type              Member                  
===============================================================================
1 interface            tunnel1                  
2 tunnel             01-L2TP-IKEV1_client_connection         
3 tunnel             ios-test_L2TP_cert_V1_CONN        
4 tunnel             02_IKEV1_client_connection     
Router#

I'd like to have 2 & 4 in another zone of my choosing called "MY_own_Zone_Tunnel_Group" that I could access as

Such a Policy Route might be: for MY_own_Zone_Tunnel_Group
index: 18
 active: yes
 auto-disable: no
 description: lab3_L2TP_004_SUBNET_to_LAN1_subnet
 user: any
 schedule: none
 interface: none
 tunnel: MY_own_Zone_Tunnel_Group  <<=============== example!
 sslvpn: none
 source: lab3_L2TP_004_SUBNET
 destination: LAN1_SUBNET
 DSCP code: any
 service: any
 srcport: any
 nexthop type: Auto
 nexthop: auto
 nexthop state: Not support
 auto destination: no
 SNAT: none
 DSCP marking: preserve
 connectivity-check: no
Router# 


Status:

Cant get such a configuration when using the cli "zone" command or the WEB UI (User Add+) there doesn't seem to be a way of configuring a user zone that doesn't not contain USG predefined interfaces.

Any clues, comments or alternatives or wisdom ?

Many Thanks

warwick

Hong Kong

Comments

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,298  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @warwickt

    Do you mean to create a specific zone and can select each VPN connection into it?

    And the zone can be selected in policy route settings? 

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi Zyxel_Jerry . Yes .. this is what I would like to do if you know how.


    Thanks for the reply.


    Regards

    warwick

    Hong Kong

Security Highlight