VPN - IPSec - Gateway - Policy - Multiple networks

MikeForshock · November 2020

We have a USG40 with multiple connect subnets

172.16.1.x, 172.20.1.x, 192.168.20.x, etc.

Unfortunately the USG only allows for a single Network to be entered in the Local and Remote policy.
The ability to add multiple networks (single or as a group) would allow us to setup or Zyxel devices like we can with all the others (SonicWall, CradlePoint, etc.)

This impacts our remote Site-to-Site operations. This is an example of what we would see for our locations, and would need to access these different subnets from the remotes (and VPN Remote Access users).

Setting as All Routes (0.0.0.0/0) is NOT what we want for the HQ,

HQ Networks (VPN Responder/Gateway)

172.17.x.x/16
192.168.11.x/24
192.168.100.x/24

Site 2 (VPN Peer):

172.20.1.x/24
192.168.10.x/24

Site 3 (VPN Peer):

172.20.10.x/24
192.168.20.x/24

Image: https://us.v-cdn.net/6029482/uploads/editor/xk/7jvcvl89yxgw.jpg

alexey · November 2020

Hello.
If you need access to other networks via vpn tunnel, you can do this by policy routes.
Add as destination remote lan and set next-hop - vpn tunnel.
All traffic to this net will goes via vpn.

Zyxel_Charlie · November 2020

@MikeForshock
The scenario can be fulfilled by adding policy route.
You can check below link as your reference.
Link: VPN with Multiple subnets

MikeForshock · November 2020

Zyxel_Charlie said:

@MikeForshock
The scenario can be fulfilled by adding policy route.
You can check below link as your reference.
Link: VPN with Multiple subnets

While this works with USG, it will not work with CradlePoint and others.

They use the multiple remote networks on the policy of the VPN. We have tried this method prior.

Jeremylin · November 2020

I think it's the time to change the CradlePoint to USG

MikeForshock · November 2020

Jeremylin said:

I think it's the time to change the CradlePoint to USG

Lets assume for a minute its cellular and note the lack of real cellular support from USG or ZyXel in general.

erosevt · August 2021

I got this exact scenario to work between the Zyxel and a Cisco ASA. This was a huge breakthrough that allowed us to use pre-configured Zyxel USG20-VPN devices and hand them out to employees.

On the Cisco ASA side, we indeed have multiple source addresses configured using an object-group.

So on the ASA, the crypto map is:
crypto map outside_map 2 match address outside_cryptomap_zyxel1
and the access-list is:
access-list outside_cryptomap_zyxel1 extended permit ip object-group OG_with_multiple_networks object ZyXEL1_priv_internal network.

That's typical of a crypto map that creates the tunnel.

Here's the magic!

On the Zyxel, you have one object already created that defines the VPN gateway. Don't touch that object.

But you CAN define more than one VPN connection. Each VPN connection represents one destination network.

On the VPN connection tab, keep adding VPN connections, with the same parameters (protocol, encapsulation, proposal), same local policy, and a DIFFERENT REMOTE POLICY.

In my screen shot, I have two connection, and you can see they are both connected. One is for our internal 10.0.0.0/8 networks, and the other is for our internal 172.0.0.0/8 networks. They use the same VPN Gateway object (that's where the gateway IP address and pre-shared key is defined).

Image: https://us.v-cdn.net/6029482/uploads/editor/sg/g3ycbdca8575.jpg

I struggled with this for months and finally figured out the simple solution. I hope this helps someone else.

MikeForshock · August 2021

@erosevt Thanks for the information, will give it a try on the next go round.

On another note, your 172 network mask is a bit large and include some public spaces. Should be 12 bit mask, eg. 172.16.0.0/12 (255.240.0.0) (172.16.0.0-172.31.255.255)

VPN - IPSec - Gateway - Policy - Multiple networks

All Replies

Categories

Security Highlight

Security Help Center