Creating a New Separate "RYO/user" Zone for specific IKE Tunnels?

warwickt
warwickt Posts: 111  Ally Member
First Anniversary Friend Collector First Answer First Comment
edited April 2021 in Security

Hi fellow avid Zyxel USG users, any clues on the following are most graciously accepted..

Question??:

Would like to add a customised Zone that contains only specific IKEv2 and IKEv1 client-site connections for the purposes of administering very explicit Policy Routes as a "logical Group" - as a name "MY_own_Zone_Tunnel_Group"

Currently one must maintain a bunch of very explicit Policy Route maintained for every IPSEC connection.

Use Example:

I have two Client-Site VPN active connections as and associated IPSEC gateways as

  • 01-L2TP-IKEV1_client_connection ... and
  • 02_IKEV2_client_connection

I would like to have a user zone called "MY_own_Zone_Tunnel_Group" that contains only these two connections so that I can have a single set of Policy routes for both.

and... Yes these both are currently working 100% ok.

Below are the items in the system zone called TUNNEL on this lab USG40.

Router# show zone TUNNEL
No. Type              Member                  
===============================================================================
1 interface            tunnel1                  
2 tunnel             01-L2TP-IKEV1_client_connection         
3 tunnel             ios-test_L2TP_cert_V1_CONN        
4 tunnel             02_IKEV1_client_connection     
Router#

I'd like to have 2 & 4 in another zone of my choosing called "MY_own_Zone_Tunnel_Group" that I could access as

Such a Policy Route might be: for MY_own_Zone_Tunnel_Group
index: 18
 active: yes
 auto-disable: no
 description: lab3_L2TP_004_SUBNET_to_LAN1_subnet
 user: any
 schedule: none
 interface: none
 tunnel: MY_own_Zone_Tunnel_Group  <<=============== example!
 sslvpn: none
 source: lab3_L2TP_004_SUBNET
 destination: LAN1_SUBNET
 DSCP code: any
 service: any
 srcport: any
 nexthop type: Auto
 nexthop: auto
 nexthop state: Not support
 auto destination: no
 SNAT: none
 DSCP marking: preserve
 connectivity-check: no
Router# 


Status:

Cant get such a configuration when using the cli "zone" command or the WEB UI (User Add+) there doesn't seem to be a way of configuring a user zone that doesn't not contain USG predefined interfaces.

Any clues, comments or alternatives or wisdom ?

Many Thanks

warwick

Hong Kong

Comments

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,052  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @warwickt

    Do you mean to create a specific zone and can select each VPN connection into it?

    And the zone can be selected in policy route settings? 

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi Zyxel_Jerry . Yes .. this is what I would like to do if you know how.


    Thanks for the reply.


    Regards

    warwick

    Hong Kong

Security Highlight