Routing of several subnets through one VPN channel with Lancom and Zyxel
Since a couple of years I have established a stable VPN site-to-site connection between the LANs of two locations A and B. In location A is LANCOM 1631E and in location B a Zyxel ZyWALL USG20. Negotion mode was Main. The LANCOM is connected to the Internet via Digitalisierungsbox Premium and the Zyxel via a FritzBox.
Done like in the following video but with stronger encryption.
Now, there is a new requirement that it must be possible to reach from subnet A to other subnets C and D. Those are connected via another router which is connected to subnet B. That means, we need to route subnets C and D through the tunnel as well.
On the Lancom side I have configured that using IP4 Rules as described here:
On the Zxel side this is not possible due to a Zyxel limitation which does not allow to configure more than one subnet per tunnel. See https://support.zyxel.eu/hc/en-us/articles/360001378873#h_01GV0FHHA4FHV32B69KXG4F1CH
and https://support.zyxel.eu/hc/de/articles/360001440613-Richtlinienrouten-USG-VPN-ATP-Verschiedene-Szenarios-und-Konfigurationen#two
The workaround is to create additional policy routes for that. Unfortunately, I was not able to get that running with the Lancom on the other side. My impression is that this works only with Zyxels on both ends.
It is also not possible to configure one subnet for all with a wider net mask because the IP address ranges of the three subnets are totally different.
Finally, I configured three separate VPN connections, one for each subnet. It was very hard and time consuming to get this running due to a lot of trial and error. This approach has several disadvantages:
- I can configure only two subnets due to a VPN license limitation on the Lancom side. So, one subnet is still missing. Not that urgent, but at the end I want have also access to that one.
- It works only in Aggressive negotiation mode. In Main mode at tleast the second channel does not come up.
- The establishment of the second tunnel takes a longer time and it happens only when the first client tries to connect. Can someone give a hint how the tunnels can be established automatically?
Finally, can one suggest how to route more than one subnet through the tunnel with a Lancom and a Zxel at the ends. Or do I have really to replace the Zyxel by a Lancom?
Thanks a lot!
Accepted Solution
-
Their is routing then there is the VPN policy the two are not the same
https://support.lancom-systems.com/knowledge/pages/viewpage.action?pageId=32986050
1.5 shows VPN remote station which is remote policy I think this needs to be 0.0.0.0/0
on the Zyxel local policy needs to be 0.0.0.0/0 in order to have the tunnel up.
0
All Replies
-
Are you able to config this Lancom remote policy as 0.0.0.0/0 ? this would mean your Zyxel local policy is 0.0.0.0/0 to remote policy Lancom subnet.
you might then need a routeing rule to Lancom subnet on Zyxel
0 -
Thanks for replying. This probably means that all traffic will be routed through the tunnel? This is not desired. The traffic to other networks should go to the internet directly.
0 -
Can you not do routing rules on this Lancom to route only subnets you want down the tunnel and everything else out its WAN?
0 -
So you mean to configure the VPN connection for 0.0.0.0/0 and to configure the routing of the three subnets by routing rules? Will try that.
0 -
Might not work as you the LANCOM needs to connect to other sites IPs…or not as you connect to B and the other C and D route by B to A
0 -
(It is also not possible to configure one subnet for all with a wider net mask because the IP address ranges of the three subnets are totally different.)
→ Sounds like you have private class A , B, C subnets, so no chance to summary.
Agree PeterUK, set the connection as 0.0.0.0/0 then using policy route to make path decision.
It can avoid whole traffic send to tunnel in this way, It should work even peer is not Zyxel .
But I don't have experience on LANCOM need to test
0 -
The configuration on the LANCOM side is easy. But I'm not sure how to configure in the Zyxel that the normal traffic goes to the Internet and not to the tunnel. Yesterday I configured for that a static route for 0.0.0.0/0 to wan1 and lost by that all VPN connections and hat to drive to location B to remove that route :-( Would a policy route instead of a static route prevent that?
0 -
Can you have remote access on WAN for login for the LANCOM to be sure that don't happen again?
For the VPN not routing does LANCOM have remote policy I guess It must thats what you need to change
Does the LANCOM have routing options next hop to tunnel?
0 -
Yes, I have remote access to the LANCOM and I can configure there the routing properly. The tunnel is configured for 0.0.0.0/0. All traffic but that for the three special subnets goes to the Internet. So, yes there it is possible to configure the tunnel as the next hop. On LANCOM side the VPN and the effective routing table looks fine and it seems to work.
My problem is rather the proper configuration on the Zyxel side. I think, I need
- In VPN connection replace remote policy "SUBNET, 192.168.0.0/24" by "SUBNET, 0.0.0.0/24".
- Add policy routes for each of the three networks: Incoming interface lan1, source address: one of the three networks, destination address: "SUBNET, 192.168.0.0/24" (subnet of location A), Next hop: tunnel
- Add policy route for my Dynamic VPN channel for access from home office.
- Add policy route to 0.0.0.0/0 to wan1 for the rest.
Am I right?
It seems, on Zyxel it is harder to see an effective routing table and I'm not sure what it does automatically and what not.
0 -
Their is routing then there is the VPN policy the two are not the same
https://support.lancom-systems.com/knowledge/pages/viewpage.action?pageId=32986050
1.5 shows VPN remote station which is remote policy I think this needs to be 0.0.0.0/0
on the Zyxel local policy needs to be 0.0.0.0/0 in order to have the tunnel up.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight