VPN100 IPSEC Tunnel more then one remote Network

alexAT
alexAT Posts: 4
First Comment
edited April 2021 in Security
Hello all!

we bought a VPN100 and now i am very confused and angry, sorry if it look so!


I start with the VPN Connection to the other office and all work fine. 
I create a Gateway then Phase 2 a Network, at this point i was confused because it was an a nother Position at the menu and a litte bit complicated but ok.

Then  i will create a nother Tunnel to a costumer and there i need 15 remote network. Yes its a bad desition but it is the "costumer" :)
and the old Firewall had no problem with that.

But i dont find a way to add more then one remote network at the menu.

My first try was to create more Phase 2 Connection but this does not work.
Then i create a policy routing, i dont think this is a good way but i had buy it and i try it.
But this does not work.


And i can not belive it!
is this the answere?
The VPN100 can not add more then one remote network at one side in the IPSEC VPN connection????
And i can also not add more then one network on my side????


PLEASE HELP! I can not return the device. I do a Firmware update but nothing changed.

Thanks Alex!

All Replies

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    alexAT,
    That's what I know about Zyxel IPSec VPN.
    It doesn't support multiple traffic selectors in phase 2. 

    So that it depends on what's the peer VPN gateway supported.
    If the peer VPN gateway support route-based IPSec VPN.
    Then, change both side to use route-based IPSec VPN is the choice.

  • thx 4 answer.
    But is this not strange? I know any low budget Firewall and there are no Problems with that.
    My Company buy two of them and now it is a door wedge if i don't fix that. Is there a other zyxel product with this feature?
    Its possible i should buy a better product form zyxel?



    How can i change it to the a "route-based IPSec VPN".

    It says nothing to me sorry. Do have a "howto"?

  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @alexAT

    Welcome to Community Forum!

    You can go to establish a VTI Interface following the article:

    https://support.zyxel.eu/hc/en-us/articles/360000707399-How-can-I-configure-IPSec-site-to-site-VPN-by-using-VTI-on-the-USG-

    We are working for "Cloud Solutions" (Flex Series) to have VPN enhance features in Cloud in Q2/2021 which allow more easy networks to combine each other via Drag and Drop.

    For Standalone and VPN Series, currently the product behavior is similar, so VTI config, will be best for you.

    If the Subnets are near to each other, you may also can set a RANGE object, instead of Subnet.

    Kind Regards,

    Tobias
  • HI Tobias! Thank for the Help.

    I can not change the remote side, is VTI configuration necessary on both sides?

    Range: Can i take a range from  10.225.0.0 to 172.17.116.254 ?

  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @alexAT

    Yes both site need setup VTI or Route-Based VPn.

    Theoretically you can use this range, as long as it´s not overlapping with ANY other network configured.

    i.e. if your LAN is 192.168.10.1/24 and your WAN IP is 212.222.222.22 then it could work (same for remote site).

    You can also be in touch with Austria Support on Phone: +4924056489990

    Kind Regards,

    Tobias
  • gb5102
    gb5102 Posts: 25  Freshman Member
    First Anniversary Friend Collector First Comment
    edited February 2021
    alexAT said:
    [...]
    My first try was to create more Phase 2 Connection but this does not work.
    [...]

    ^^^ Multiple Phase 2 is exactly what you need to do. VTI is not required but does make it a bit easier/cleaner.
    We have a couple of ZyWALL 110s connecting to multiple remote subnets and this works perfectly. We created a separate phase2 for each local and remote subnet that needed to communicate, each of these phase2's share the same phase1/'gateway'. I can confirm this works properly between 2 Zywalls and also between Zywall 110 and Cisco ASA 5515-X
  • Hi 

    i solved it with Multiple Phase 2.
    It was possible with IKEv1 and IKEv2.

    I have 15 phase 2 at one Tunnel with the same Auth Mode Sha1 and AES256 and so.
    Zyxel Support write its possible at any zyxel products have tunnel swapping, its better to chose different Security Modes to prevent this problem. 

    thx all 4 Answere!

Security Highlight