Site-to-site USG FLEX500 - Strongswan

Zolik · May 1

Hi,

we had lot of routers (kerio, unifi, etc..), on each router we had set up IPsec tunnel to our datacenter. In datacenter we have Debian server with Strongswan (it has public IP).
Always I set up on Debian remote and local network and on router remote and local sites too.

Now we bought flex 500 and I need set up the same tunnel.
I have set up strongswan like this:

conn office
authby=secret
left=%defaultroute
leftid=xxxxx
leftsubnet=10.1.4.0/24, 10.8.0.0/23
right=xxxxx
rightsubnet=10.54.0.0/22
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start

On zyxel I have set up remote subnet only 10.1.4.0/24 because I cant add a second remote subnet to VPN connection.
I created policy route like this: (OVPN is subnet 10.8.0.0/22)

But I have connected only 10.1.4.0/24 with 10.54.0.0/22… I can't connect 10.8.0.0/23 to 10.54.0.0/22…

Can you help me please?

Zyxel_Jeff · May 7

Hello Zolik,

Could you provide the remote Web-GUI to us for further checking? I will send a private message to you later.

zyman2008 · May 9

Hi @Zolik ,

Zyxel firewall doesn't support multiple subnets in the same IPSec rule.

You need to setup it in separate VPN connection rules but with same Gateway.

StrongSwan setting:

conn office

authby=secret

left=%defaultroute

leftid=xxxxx

leftsubnet=10.1.4.0/24

right=xxxxx

rightsubnet=10.54.0.0/22

ike=aes256-sha2_256-modp2048!

esp=aes256-sha2_256!

keyingtries=0

ikelifetime=1h

lifetime=8h

dpddelay=30

dpdtimeout=120

dpdaction=restart

auto=start

conn office-2
also=office
leftsubnet=10.8.0.0/23
rightsubnet=10.54.0.0/22

Zyxel Firewall Setting:

Create another VPN Connection rule for 10.54.0.0/22 to 10.8.0.0/23 and bind to the same VPN Gateway rule.

zyman2008 · May 9

Site-to-site USG FLEX500 - Strongswan

All Replies

Categories

Security Highlight

Security Help Center