Zyxel USG 50/100/110 vpn phase 2 order

arukashi
arukashi Posts: 7  Freshman Member
First Comment Friend Collector Third Anniversary
edited April 2021 in Security
Hello! Forgive me my bad english :)
Need some help. Is there any possibility to change order of automatic ipsec vpn routes?

There is Zyxel USG 50/100/110 (i got few of them) that connected to many networks using ipsec. I got one ipsec tunnel to pfsense router for internet access, so remote network in phase 2 points to 0.0.0.0/0
Then i make another tunnel to another device with remote policy, e.g. 192.168.111.0/24, and i cannot access this network. I looked at the "packet flow explore" tab and see that 0.0.0.0/0 route stands above 192.168.111.0/24 route, so its obvious why i cannot connect to 192.168.111.0/24 hosts. I see that site-to-site vpn routes lists in the same order as phase 2 configurations. So it comes to me, if i can change its order i can make it all work


I know i can make policy route leads to 192.168.111.0/24 through corresponding tunnel, but maybe there's some other way to make it work?
Thanks





Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,518  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @arukashi,
    Welcome to Zyxel community.  :)   Can you post your network topology with IP subnet.
    It would be helpful and easier to know the scenario.
  • arukashi
    arukashi Posts: 7  Freshman Member
    First Comment Friend Collector Third Anniversary
    Hello!
    okay. Issue concerns Zyxel USG 100/110 with lan 192.168.23.0/24
    Tunnel1 is used for routing internet traffic to pfsense, other tunnels used for accessing other bogon networks (192.168.20.0-22.0/24).



    So, when all of this tunnels connected, automating routing rules generated, right? And this rules lists in the same order as we see in VPN -> IPSec VPN -> Connections. If tunnel1 rule is the first one, all traffic flows to pfsense, and traffic for tunnel 20/21/22 never gets to its right way. If tunnel1 rule is the last, its all okay. 



    If i create another ipsec tunnel it becomes last, and traffic for never reach target network. Is there any way i can change this order of rules without recreating tunnel1 rule?
    Thanx
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,518  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @arukashi,
    It is unable to change the order of the IP Sec VPN tunnels in packet flow when the tunnel had been created, but you can control routing to corresponding tunnels by policy route,
    Because the traffic goes to policy route first, then Site to Site VPN.

  • arukashi
    arukashi Posts: 7  Freshman Member
    First Comment Friend Collector Third Anniversary

    Zyxel_Cooldia said:
    Hi @arukashi,
    It is unable to change the order of the IP Sec VPN tunnels in packet flow when the tunnel had been created, but you can control routing to corresponding tunnels by policy route,
    Because the traffic goes to policy route first, then Site to Site VPN.

    Okay. Either i recreate ipsec vpn rule for 0.0.0.0/0 or duplicate automatic rules with my own in policy route section. got it!
    Is it possible to make zyxel usg not to create automatic routing rules for vpn networks? Since i dont need them and i will make my own rules anyway
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,518  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @arukashi,
    The routing table is auto created when you established site to site IP sec VPN tunnel.


  • arukashi
    arukashi Posts: 7  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited May 2018
    All right, thanks a lot
    Maybe it will be useful to be able to change ipsec rule order, i hope would correct this in latest firmwares :)

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)