Looking for good resource about VPN Configuration (ipsec/ikev2)

Eric_
Eric_ Posts: 24  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
Hello all

The more I work with Zywall & USG devices, the more request show up for VPN-connections. Single connections, site-2-site or client-server, I can manage by now. However, when it comes to multiple connections, I start to struggle with what "connection" is using what "gateway" and at same time, based on what are gateways selected during a connect-attempt (usually not the one I counted on). The same with IKEv2 VPN with Certificates. I made two certificates (with the same hostname "host.dyndns.org") and matching gateways and connections. The first one worked just fine with a Windows VPN Connection, the second not. Somehow the wrong gateway on the USG is selected when I try to connect to the second VPN I created in Windows (I changed the locally imported certificate to match). Beats me how these gateways are selected.
For remote users i could create 1 gateway and 1 connection and filter their access over a security policy based on their user-id. But this does not work (for me) with site-2-site.Not to mention over multiple VLANs.

In short, I need to learn some more. Does anyone know of a good resource where I can read up on this topic and get this sorted out? (possible languages: German, English, Dutch). Like so it takes forever and I am not pleased with the results. I need to get an overview and know what I am doing so i can stop guessing it together.

Thanks and Greetings
Eric

PS. I did a USG Course but their we stopped after 1 ipsec/ssl vpn :-(

Accepted Solution

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @Eric_

    I am not a zyxel expert, and I am sure there are more experienced admins in this forum, but still let me give you some advice: Learn more about general networking.

    If I can draw a network architecture ... I am able to deploy it using any vendor. (Zyxel, ubiquiti, mikrotik, juniper, cisco, huawei, netgear ...)

    From my point of view, your questions are very different,  which suggest me you could need advanced networking knowledge, to secure that you have designed in your mind it is the best solution for your needs.
     
    I recommend Cisco CCNP books, not to learn Cisco, but to learn networking.

    Do not hesitate to contact me via private message if you want to discuss in detail any of your issues.

    Welcome to the advanced networking :)

    Regards
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2018

    Hi @Eric_,

     

    Here are some scenarios in the handbook for your reference.

    In the handbook, it guides you how to configure on the USG and what should be noticed in the configuration steps.

    The handbook at the global website will be constantly updated when new firmware version is released. 

    ftp://ftp2.zyxel.com/USG110/handbook/USG110_ZLD4.25_Handbook.pdf



  • Eric_
    Eric_ Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Hello Emily

    Thanks for the handbook-link, 365 Pages about VPN should give me something to read for the next few weeks. There seem to be a lot of possible configuration-topics, I just hope I find the global explanation about how, during a vpn-connect, the selection of the available gateways and connections are made. Usually each vpn by themselves is no problem, it starts for me when multiple vpn-configurations are to be made. However, the 365 pages are a tiny bit to much to already answer this :-)

    Eric
  • Eric_
    Eric_ Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Alfonso said:
    Hi @Eric_

    I am not a zyxel expert, and I am sure there are more experienced admins in this forum, but still let me give you some advice: Learn more about general networking.

    If I can draw a network architecture ... (cut)

    Welcome to the advanced networking :)

    Regards
    Hello Alfonso

    Thanks for the reply/advise. Since 1990 I spent my time with client/server and many other thing but only the last 2 year I get to work closely with networking equipment (job-change). Before I requested connections and functions, now I have to design and implement them myself, next to the other work that remained...
    The basic networking knowledge is now there, to some extend, and when time permits, I read up on new topics, among others in cisco books, even though i have nearly no knowledge or contact with those products. You are absolutely right, a drawing does wonders, but unfortunately not this one. I lack the overview of this connection-process and once I have that, I can dig into the details and get it under control. 1 VPN is no problem, multiple get's me in trouble.

    "Welcome to advanced networking" sounds good, is fun to do, if only those days were not so short. 24 hours just doesn't cut it when there is so much to learn, while the customers are waiting :-)

    I'll read Emily's Handbook and see if my Cisco Networking Manual has something useful in it.

    Greetings
    Eric


  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @Eric_

    Joib-change is always a chance to learn.

    I have been working in network for years, and it is often very exciting.

    Obviously, to work under the customers presure can be stressed.
    Countnue reading and learning and you will be an expert.

    Enjoy :)
  • Eric_
    Eric_ Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector
    HI Emily

    That is what I feared. I also had an incorrect gateway-configuration. Now I deleted all and created 1 certificate, 1 IKEv2 gateway and 1 IKEv2 connection with a local policy that covers the entire network. In Security Policy Control I created 3 rules, bottom up: incoming from ipsec VPN (in IKEv2_Client_Pool), block all traffic to LAN1 (incl. all vlans). Above that: if the remote IP is in IKEv2_Client_Pool and user is a member of a particular user group I allow access to the LAN-addresses they need and no more. This does not prevent them from "jumping" to other hosts, which was no requirement, but it keeps them from accessing other vlans and initial contact with other hosts.
    The external user now only needs the certificate, hostname and a valid username/password combination.

    For now this works but who knows what I learn from the Handbook you told me about ....

    Thank you for the comment, I confirmed my test results.

    Regards
    Eric

Security Highlight