VPN - IPSec - Gateway - Policy - Multiple networks

MikeForshock
MikeForshock Posts: 40  Freshman Member
First Comment Friend Collector Third Anniversary
edited April 2021 in Security
We have a USG40 with multiple connect subnets
172.16.1.x, 172.20.1.x, 192.168.20.x, etc.

Unfortunately the USG only allows for a single Network to be entered in the Local and Remote policy.
The ability to add multiple networks (single or as a group) would allow us to setup or Zyxel devices like we can with all the others (SonicWall, CradlePoint, etc.)

This impacts our remote Site-to-Site operations.  This is an example of what we would see for our locations, and would need to access these different subnets from the remotes (and VPN Remote Access users).
Setting as All Routes (0.0.0.0/0) is NOT what we want for the HQ,

HQ Networks (VPN Responder/Gateway)
  • 172.17.x.x/16
  • 192.168.11.x/24
  • 192.168.100.x/24
Site 2 (VPN Peer):
  • 172.20.1.x/24
  • 192.168.10.x/24
Site 3 (VPN Peer):
  • 172.20.10.x/24
  • 192.168.20.x/24


All Replies

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    Hello.
    If you need access to other networks via vpn tunnel, you can do this by policy routes.
    Add as destination remote lan and set next-hop - vpn tunnel.
    All traffic to this net will goes via vpn.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited November 2020
    @MikeForshock
    The scenario can be fulfilled by adding policy route.
    You can check below link as your reference.
    Link: VPN with Multiple subnets
  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary
    @MikeForshock
    The scenario can be fulfilled by adding policy route.
    You can check below link as your reference.
    Link: VPN with Multiple subnets

    While this works with USG, it will not work with CradlePoint and others.
    They use the multiple remote networks on the policy of the VPN.  We have tried this method prior.
  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    I think it's the time to change the CradlePoint to USG :)
  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary
    Jeremylin said:
    I think it's the time to change the CradlePoint to USG :)

    Lets assume for a minute its cellular and note the lack of real cellular support from USG or ZyXel in general.  ;)
  • erosevt
    erosevt Posts: 1
    I got this exact scenario to work between the Zyxel and a Cisco ASA.   This was a huge breakthrough that allowed us to use pre-configured Zyxel USG20-VPN devices and hand them out to employees.

    On the Cisco ASA side, we indeed have multiple source addresses configured using an object-group.

    So on the ASA, the crypto map is:
    crypto map outside_map 2 match address outside_cryptomap_zyxel1
    and the access-list is:
    access-list outside_cryptomap_zyxel1 extended permit ip object-group OG_with_multiple_networks object ZyXEL1_priv_internal network.

    That's typical of a crypto map that creates the tunnel.   

    Here's the magic!

    On the Zyxel, you have one object already created that defines the VPN gateway.  Don't touch that object.

    But you CAN define more than one VPN connection.  Each VPN connection represents one destination network.

    On the VPN connection tab, keep adding VPN connections, with the same parameters (protocol, encapsulation, proposal), same local policy, and a DIFFERENT REMOTE POLICY.

    In my screen shot, I have two connection, and you can see they are both connected.  One is for our internal 10.0.0.0/8 networks, and the other is for our internal 172.0.0.0/8 networks.  They use the same VPN Gateway object (that's where the gateway IP address and pre-shared key is defined).



    I struggled with this for months and finally figured out the simple solution.   I hope this helps someone else.
  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary
    @erosevt Thanks for the information, will give it a try on the next go round.

    On another note, your 172 network mask is a bit large and include some public spaces.  Should be 12 bit mask, eg. 172.16.0.0/12 (255.240.0.0) (172.16.0.0-172.31.255.255)

Security Highlight