VPN - IPSec - Gateway - Policy - Multiple networks
MikeForshock
Posts: 40 Freshman Member
We have a USG40 with multiple connect subnets
172.16.1.x, 172.20.1.x, 192.168.20.x, etc.
Unfortunately the USG only allows for a single Network to be entered in the Local and Remote policy.
The ability to add multiple networks (single or as a group) would allow us to setup or Zyxel devices like we can with all the others (SonicWall, CradlePoint, etc.)
This impacts our remote Site-to-Site operations. This is an example of what we would see for our locations, and would need to access these different subnets from the remotes (and VPN Remote Access users).
Unfortunately the USG only allows for a single Network to be entered in the Local and Remote policy.
The ability to add multiple networks (single or as a group) would allow us to setup or Zyxel devices like we can with all the others (SonicWall, CradlePoint, etc.)
This impacts our remote Site-to-Site operations. This is an example of what we would see for our locations, and would need to access these different subnets from the remotes (and VPN Remote Access users).
Setting as All Routes (0.0.0.0/0) is NOT what we want for the HQ,
HQ Networks (VPN Responder/Gateway)
- 172.17.x.x/16
- 192.168.11.x/24
- 192.168.100.x/24
Site 2 (VPN Peer):
- 172.20.1.x/24
- 192.168.10.x/24
- 172.20.10.x/24
- 192.168.20.x/24
0
All Replies
-
Hello.
If you need access to other networks via vpn tunnel, you can do this by policy routes.
Add as destination remote lan and set next-hop - vpn tunnel.
All traffic to this net will goes via vpn.1 -
@MikeForshock
The scenario can be fulfilled by adding policy route.
You can check below link as your reference.
Link: VPN with Multiple subnets1 -
Zyxel_Charlie said:@MikeForshock
The scenario can be fulfilled by adding policy route.
You can check below link as your reference.
Link: VPN with Multiple subnetsWhile this works with USG, it will not work with CradlePoint and others.They use the multiple remote networks on the policy of the VPN. We have tried this method prior.0 -
I think it's the time to change the CradlePoint to USG
0 -
Jeremylin said:I think it's the time to change the CradlePoint to USG
Lets assume for a minute its cellular and note the lack of real cellular support from USG or ZyXel in general.
0 -
I got this exact scenario to work between the Zyxel and a Cisco ASA. This was a huge breakthrough that allowed us to use pre-configured Zyxel USG20-VPN devices and hand them out to employees.
On the Cisco ASA side, we indeed have multiple source addresses configured using an object-group.
So on the ASA, the crypto map is:
crypto map outside_map 2 match address outside_cryptomap_zyxel1
and the access-list is:
access-list outside_cryptomap_zyxel1 extended permit ip object-group OG_with_multiple_networks object ZyXEL1_priv_internal network.
That's typical of a crypto map that creates the tunnel.
Here's the magic!
On the Zyxel, you have one object already created that defines the VPN gateway. Don't touch that object.
But you CAN define more than one VPN connection. Each VPN connection represents one destination network.
On the VPN connection tab, keep adding VPN connections, with the same parameters (protocol, encapsulation, proposal), same local policy, and a DIFFERENT REMOTE POLICY.
In my screen shot, I have two connection, and you can see they are both connected. One is for our internal 10.0.0.0/8 networks, and the other is for our internal 172.0.0.0/8 networks. They use the same VPN Gateway object (that's where the gateway IP address and pre-shared key is defined).
I struggled with this for months and finally figured out the simple solution. I hope this helps someone else.1 -
@erosevt Thanks for the information, will give it a try on the next go round.
On another note, your 172 network mask is a bit large and include some public spaces. Should be 12 bit mask, eg. 172.16.0.0/12 (255.240.0.0) (172.16.0.0-172.31.255.255)0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight