Only 4 tunnel interfaces possible

Line2
Line2 Posts: 40  Freshman Member
First Answer First Comment Friend Collector First Anniversary
edited April 2021 in Security
Is there a technical reason why only 4 tunnel interfaces are possible on USG/ZyWALLs? For GRE/IPSec more would be helpful.

Accepted Solution

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @Line2,

    There is no technical reason for the specification about  the current supported tunnel interface number.
    The new IPSec virtual tunnel interface(VTI) is introduced since firmware 4.20, so we suggest you use VTI interface instead of Tunnel interface.
    Compared to GRE with extra GRE header overhead, it is better to use VTI instead of GRE over IPSec. 
    If you still think it is necessary to increase the number of Tunnel interface, please feel free to let us know and we will evaluate the enhancement on this feature.
  • Line2
    Line2 Posts: 40  Freshman Member
    First Answer First Comment Friend Collector First Anniversary

    I know VTI, I set up a lot of VTI/IPSec, between ZyWALLs only, I use most of time VTI and OSPF for dynamic routing. I know the overhead of GRE (24bytes). But there are different restrictions where you can't use VTI (3.party firewalls without VTI or no VTI with dynamic IPs there, general antipathy for VTI at a lot of firewall admins because of leak difficulty...).
    Thats the same reason why I made a feature request to support OSPF on GRE interfaces. By the way a loopback interface on ZyWALLs would be handy for such things too ;-)

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Line2,


    Thanks for your suggestion.

    I would like to move your request to the ideas section.

  • Line2
    Line2 Posts: 40  Freshman Member
    First Answer First Comment Friend Collector First Anniversary
    ok, if it helps :-)
  • Line2
    Line2 Posts: 40  Freshman Member
    First Answer First Comment Friend Collector First Anniversary
    thank you
  • Kade
    Kade Posts: 8  Freshman Member
    First Comment Second Anniversary
    One feature that I would like to add is to have the ability to encrypt the GRE tunnel with IPsec to make it secure for routing packet between site.
  • Zyxel_Vic
    Zyxel_Vic Posts: 282  Zyxel Employee
    25 Answers First Comment Friend Collector Seventh Anniversary
    Hi @Kade
    I added your request into the idea post Emily created, too. 

    Here the idea post.
  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Hi.

    We want to start using GRE over ipsec on our sites with old USG1000, that don't support VTI for autodisables routes, and 4 GREs are too small for ours needs.

    Will you realize more GRE in the future and will beta FW availble for test?

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    USG1000 does not support GRE over IPSec.

    You can consider for USG1100 or VPN300 which support GRE over IPSec function.

    3.png


Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)