Routing of several subnets through one VPN channel with Lancom and Zyxel

akar
akar Posts: 7
First Comment
edited November 2023 in Security

Since a couple of years I have established a stable VPN site-to-site connection between the LANs of two locations A and B. In location A is LANCOM 1631E and in location B a Zyxel ZyWALL USG20. Negotion mode was Main. The LANCOM is connected to the Internet via Digitalisierungsbox Premium and the Zyxel via a FritzBox.

Done like in the following video but with stronger encryption.

Now, there is a new requirement that it must be possible to reach from subnet A to other subnets C and D. Those are connected via another router which is connected to subnet B. That means, we need to route subnets C and D through the tunnel as well.

On the Lancom side I have configured that using IP4 Rules as described here: https://support.lancom-systems.com/knowledge/pages/viewpage.action?pageId=32986050

On the Zxel side this is not possible due to a Zyxel limitation which does not allow to configure more than one subnet per tunnel. See https://support.zyxel.eu/hc/en-us/articles/360001378873#h_01GV0FHHA4FHV32B69KXG4F1CH

and https://support.zyxel.eu/hc/de/articles/360001440613-Richtlinienrouten-USG-VPN-ATP-Verschiedene-Szenarios-und-Konfigurationen#two

The workaround is to create additional policy routes for that. Unfortunately, I was not able to get that running with the Lancom on the other side. My impression is that this works only with Zyxels on both ends.

It is also not possible to configure one subnet for all with a wider net mask because the IP address ranges of the three subnets are totally different.

Finally, I configured three separate VPN connections, one for each subnet. It was very hard and time consuming to get this running due to a lot of trial and error. This approach has several disadvantages:

  • I can configure only two subnets due to a VPN license limitation on the Lancom side. So, one subnet is still missing. Not that urgent, but at the end I want have also access to that one.
  • It works only in Aggressive negotiation mode. In Main mode at tleast the second channel does not come up.
  • The establishment of the second tunnel takes a longer time and it happens only when the first client tries to connect. Can someone give a hint how the tunnels can be established automatically?

Finally, can one suggest how to route more than one subnet through the tunnel with a Lancom and a Zxel at the ends. Or do I have really to replace the Zyxel by a Lancom?

Thanks a lot!

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023 Answer ✓

    Their is routing then there is the VPN policy the two are not the same

    https://support.lancom-systems.com/knowledge/pages/viewpage.action?pageId=32986050

    1.5 shows VPN remote station which is remote policy I think this needs to be 0.0.0.0/0

    on the Zyxel local policy needs to be 0.0.0.0/0 in order to have the tunnel up.

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023

    Are you able to config this Lancom remote policy as 0.0.0.0/0 ? this would mean your Zyxel local policy is 0.0.0.0/0 to remote policy Lancom subnet.

    you might then need a routeing rule to Lancom subnet on Zyxel

  • akar
    akar Posts: 7
    First Comment

    Thanks for replying. This probably means that all traffic will be routed through the tunnel? This is not desired. The traffic to other networks should go to the internet directly.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023

    Can you not do routing rules on this Lancom to route only subnets you want down the tunnel and everything else out its WAN?

  • akar
    akar Posts: 7
    First Comment

    So you mean to configure the VPN connection for 0.0.0.0/0 and to configure the routing of the three subnets by routing rules? Will try that.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023

    Might not work as you the LANCOM needs to connect to other sites IPs…or not as you connect to B and the other C and D route by B to A

  • WJS
    WJS Posts: 155  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    (It is also not possible to configure one subnet for all with a wider net mask because the IP address ranges of the three subnets are totally different.)

    → Sounds like you have private class A , B, C subnets, so no chance to summary.

    Agree PeterUK, set the connection as 0.0.0.0/0 then using policy route to make path decision.

    It can avoid whole traffic send to tunnel in this way, It should work even peer is not Zyxel .

    But I don't have experience on LANCOM need to test

  • akar
    akar Posts: 7
    First Comment

    The configuration on the LANCOM side is easy. But I'm not sure how to configure in the Zyxel that the normal traffic goes to the Internet and not to the tunnel. Yesterday I configured for that a static route for 0.0.0.0/0 to wan1 and lost by that all VPN connections and hat to drive to location B to remove that route :-( Would a policy route instead of a static route prevent that?

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023

    Can you have remote access on WAN for login for the LANCOM to be sure that don't happen again?

    For the VPN not routing does LANCOM have remote policy I guess It must thats what you need to change  

    Does the LANCOM have routing options next hop to tunnel?

  • akar
    akar Posts: 7
    First Comment

    Yes, I have remote access to the LANCOM and I can configure there the routing properly. The tunnel is configured for 0.0.0.0/0. All traffic but that for the three special subnets goes to the Internet. So, yes there it is possible to configure the tunnel as the next hop. On LANCOM side the VPN and the effective routing table looks fine and it seems to work.

    My problem is rather the proper configuration on the Zyxel side. I think, I need

    • In VPN connection replace remote policy "SUBNET, 192.168.0.0/24" by "SUBNET, 0.0.0.0/24".
    • Add policy routes for each of the three networks: Incoming interface lan1, source address: one of the three networks, destination address: "SUBNET, 192.168.0.0/24" (subnet of location A), Next hop: tunnel
    • Add policy route for my Dynamic VPN channel for access from home office.
    • Add policy route to 0.0.0.0/0 to wan1 for the rest.

    Am I right?

    It seems, on Zyxel it is harder to see an effective routing table and I'm not sure what it does automatically and what not.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023 Answer ✓

    Their is routing then there is the VPN policy the two are not the same

    https://support.lancom-systems.com/knowledge/pages/viewpage.action?pageId=32986050

    1.5 shows VPN remote station which is remote policy I think this needs to be 0.0.0.0/0

    on the Zyxel local policy needs to be 0.0.0.0/0 in order to have the tunnel up.

Security Highlight