Multiple client-to-site Remote Access VPNs

phphil
phphil Posts: 39  Freshman Member
First Comment Friend Collector Fifth Anniversary

Dear zyxel support,

we previously had an ATP500 firewall, now we switched to USG FLEX 500H.

in the ATP500 we was able to create multiple VPN connections of type "Remote Access (Server Role)", this way we could isolate different customers with different VPN Settings.

I can't find a way to achieve the same goal on the new USG FLEX 500H.

Am I missing something?

Thank you,

Best Regards

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,399  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 11

    Both have the VPN functionality sorry you have the new H model at this time you can't do what the ATP or non-H FLEX can do

    would this be IKEv2 and Enable Extended Authentication Protocol with Client Mode Server Mode
    using Zyxel VPN client?

  • phphil
    phphil Posts: 39  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    Thank you for the answer PeterUK,

    just to confirm if I got it right, it is not possible to have multiple client to site VPN tunnels on FLEX H?

    and I should look into achieving this using zyxel vpn client (secuextender)?

    Thank you

  • PeterUK
    PeterUK Posts: 3,399  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You can only setup one Remote Access (Server Role) on FLEX H with a user group

    I'm thinking how you did this on ATP500 where by you have many tunnels on given WAN IP's or you use peer ID type IPv4 for the connecting user to that tunnel? with MS built in client?

  • phphil
    phphil Posts: 39  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    on the ATP500, ATP200, and previously on USG500

    Under Configuration > VPN > IPSec VPN

    1)we simply created multiple "VPN Gateway", defining individual settings as :

    • certificate
    • encryption parameters
    • Extended Autentication Protocol > Allowed method > Server Mode > Allowed User : and specifing only a specific group of user is allowed to authenticate

    2)for each one we created the associated "VPN Connection", defining e.g.: the following settings:

    • Application Scenario: "Remote Access (Server Role)
    • The Local Policy (certain users are allowed to access only specific LAN inside our network)
    • Ip Address Pool
    • Encryption parameters

    This way when a group of users connected to VPN they was isolated on a specific LAN, and followed specific Policy Control rules.

  • PeterUK
    PeterUK Posts: 3,399  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 12

    so you have more then one WAN IP for each VPN Gateway? I was doing some testing with non-H FLEX but only have one WAN IP the way I found to have more then one VPN Gateway was to use peer ID type IPv4

  • phphil
    phphil Posts: 39  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    No, all on the same gateway interface (WAN IP)

    We believe the firewall differentiate each connection by the encryption parameters (different on each VPN gateway and connection)

    Peer id type is set to "Any" for each one of the VPN gateway

  • PeterUK
    PeterUK Posts: 3,399  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    I see now interesting way of doing many VPN's per given Phase 1 that you setup the Clients to use to allow many VPN's

    so you can have Phase 1 with just

    -IntegrityCheckMethod as SHA1

    -CipherTransformConstants AES128

    -DHGroup Group2

    another Phase 1 with

    -IntegrityCheckMethod as SHA1

    -CipherTransformConstants DES3

    -DHGroup Group2

    Which Phase 2 can be anything its all about Phase 1 when one VPN rule don't match what the Clients can connect too it goes to the next rule VPN rule

  • phphil
    phphil Posts: 39  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    Yes, we set it up that way, it seems there is no option to obtain the same result on the USG FLEX 500H, should we isolate the traffic using security policy per user group? or there is a better approach in your opinion?

  • PeterUK
    PeterUK Posts: 3,399  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 12

    Yes about security policy and user control I tested that you can't control traffic by user at this time on H models its said to be fixed just have to wait for the next release firmware.

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    @phphil USGFLEX H series has a different platform(uOS) than ATP/USGFLEX series(ZLD). USGFLEX H series cannot set up multiple remote VPN tunnels like ATP/USGFLEX.