Multiple client-to-site Remote Access VPNs
Dear zyxel support,
we previously had an ATP500 firewall, now we switched to USG FLEX 500H.
in the ATP500 we was able to create multiple VPN connections of type "Remote Access (Server Role)", this way we could isolate different customers with different VPN Settings.
I can't find a way to achieve the same goal on the new USG FLEX 500H.
Am I missing something?
Thank you,
Best Regards
All Replies
-
Both have the VPN functionalitysorry you have the new H model at this time you can't do what the ATP or non-H FLEX can dowould this be IKEv2 and Enable Extended Authentication Protocol with Client Mode Server Mode
using Zyxel VPN client?0 -
Thank you for the answer PeterUK,
just to confirm if I got it right, it is not possible to have multiple client to site VPN tunnels on FLEX H?
and I should look into achieving this using zyxel vpn client (secuextender)?
Thank you
0 -
You can only setup one Remote Access (Server Role) on FLEX H with a user group
I'm thinking how you did this on ATP500 where by you have many tunnels on given WAN IP's or you use peer ID type IPv4 for the connecting user to that tunnel? with MS built in client?
0 -
on the ATP500, ATP200, and previously on USG500
Under
Configuration > VPN > IPSec VPN
1)we simply created multiple "VPN Gateway", defining individual settings as :
- certificate
- encryption parameters
- Extended Autentication Protocol > Allowed method > Server Mode > Allowed User : and specifing only a specific group of user is allowed to authenticate
2)for each one we created the associated "VPN Connection", defining e.g.: the following settings:
- Application Scenario: "Remote Access (Server Role)
- The Local Policy (certain users are allowed to access only specific LAN inside our network)
- Ip Address Pool
- Encryption parameters
This way when a group of users connected to VPN they was isolated on a specific LAN, and followed specific Policy Control rules.
0 -
so you have more then one WAN IP for each VPN Gateway? I was doing some testing with non-H FLEX but only have one WAN IP the way I found to have more then one VPN Gateway was to use peer ID type IPv4
0 -
No, all on the same gateway interface (WAN IP)
We believe the firewall differentiate each connection by the encryption parameters (different on each VPN gateway and connection)
Peer id type is set to "Any" for each one of the VPN gateway
1 -
I see now interesting way of doing many VPN's per given Phase 1 that you setup the Clients to use to allow many VPN's
so you can have Phase 1 with just
-IntegrityCheckMethod as SHA1
-CipherTransformConstants AES128
-DHGroup Group2
another Phase 1 with
-IntegrityCheckMethod as SHA1
-CipherTransformConstants DES3
-DHGroup Group2
Which Phase 2 can be anything its all about Phase 1 when one VPN rule don't match what the Clients can connect too it goes to the next rule VPN rule
0 -
Yes, we set it up that way, it seems there is no option to obtain the same result on the USG FLEX 500H, should we isolate the traffic using security policy per user group? or there is a better approach in your opinion?
0 -
Yes about security policy and user control I tested that you can't control traffic by user at this time on H models its said to be fixed just have to wait for the next release firmware.
0 -
@phphil USGFLEX H series has a different platform(uOS) than ATP/USGFLEX series(ZLD). USGFLEX H series cannot set up multiple remote VPN tunnels like ATP/USGFLEX.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 268 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 385 News and Release
- 83 Security Advisories
- 28 Education Center
- 9 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 72 Security Highlight