Routing of several subnets through one VPN channel with Lancom and Zyxel

2»

All Replies

  • WJS
    WJS Posts: 155  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    Hmm, From your video, you're using very old firewall unit..

    At least new USGFLEX/ATP you can set policy route : 192.168.0.0/24 next-hop VPN tunnel.

    But I'm not sure if it support on oldest USG.

    I would suggest upgrade your units for security or maintain concerns.

  • akar
    akar Posts: 7
    First Comment

    I got it running finally! On the LANCOM side I configured 0.0.0.0/0 as remote network and the routes for the three networks to the tunnel. On the Zyxel side I just configured 0.0.0.0/0 as local policy. I did not configure any policy routes. There are just two static routes for the two special networks to the third router. I expected that the "normal" traffic from location B goes through the tunnel as well without special policy routes. But the "normal" traffic goes directly to the Internet in both locations as desired.

    How can that be? Does the LANCOM propagate its routing table to the Zyxel?

  • WJS
    WJS Posts: 155  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    What's your remote policy on Zyxel side ?

  • akar
    akar Posts: 7
    First Comment

    192.168.0.0/24 which is the subnet of location A. OK, I got it.
    Thanks to all for the discussion, especially to PeterUK for his idea to use 0.0.0.0/0.
    There is just one thing. The establishment of the connection looks like this in the LANCOM log:

    2023-11-28 00:54:27 LOCAL0 Fehler last message repeated 2 times
    2023-11-28 00:54:07 LOCAL0 Fehler VPN: Error for peer VPN_2_USG: IPSEC-I-No-proposal-matched
    2023-11-28 00:54:04 AUTH Hinweis Successfully connected to peer VPN_2_USG
    2023-11-28 00:54:02 LOCAL0 Fehler VPN: Error for peer VPN_2_USG: IPSEC-I-No-proposal-matched

    I have no clue where the 4 errors come from. This is reproducable, but it works anyway. As far as I can see, there is an equal configuration on both sides. I use IKEv1 with PSK because this Zyxel does not support IKEv2. On the Zyxel side I can't see any errors.

Security Highlight