zyman2008  Master Member

Hi @Miky, I don't think it can be done. As I know, Zyxel firewall not support as an IPsec client to request IP address from VPN server. It support site to site and VPN server only.

Hi @Gel, Change the next-hop of this policy route to the new Trunk. Note: you need to enable and setup connectivity check in the primary interface. What valerio_vanni mentioned is also a solution. My preference is to use trunk to set up. It makes the policy route table cleaner. Too many rules often make it difficult for me…

Hi @Gel , Just setup a Trunk and set it as default. Create a new Trunk. Set the primary link ac active mode and backup link as passive mode. 2. Select this Trunk as default

I think it not a good approach to add the IP address into Geo/Country in this case. From the security operation point of view. To add another security policy with address group object is the right way to fit that. (1) It's more visible the full rules on the same security policy page. (2) You can identify firewall logging…

Hi @ST1, Find out a way to add proxy arp via CLI. Let's get back to your original setting for L2TP/IPSec client. VPN client Pool: 192.168.171.50 - 192.168.171.99 SSH to you firewall and using the following CLI to add proxy arp for IP of VPN clients. Router# configure terminal Router(config)# interface lan1…

Hi @ST1 , If both the site to site VPN device is Zyxel firewall. Then create a policy route to enforce the route from IP of VPN client to the remote site. Also, on the remote site create a policy route to enforce remote resources to IP of VPN clients. Here an example, Site 1 LAN1: 192.168.171.0/24 VPN Client IP:…

Hi @ST1, Change the IP pool for VPN client to another subnet other than 192.168.171.0/24. Zyxel firewall IPSec VPN not support proxy arp the IP address of VPN client to lan.

Hi @EMMEGI , Check the settings of opt-wan2 interface. Make sure, (1) The type is external (2) The ZONE is WAN (3) With Gateway setting if the IP address is static.

Hi @EMMEGI , Keep the current WAN Trunk setting. 2. Go to Routing > Policy Route, just add a policy route for LAN2 to WAN2.

Hi @EMMEGI , To classify the scenario, is this you want ? LAN1 use WAN1 by default, if WAN1 is alive. If WAN1 has problem, then LAN1 can use WAN2 as backup link. LAN2 use WAN2 by default, if WAN2 is alive. If WAN2 has problem, then LAN2 can use WAN1 as backup link.

Hi @LPAPP , Topology: ZyWALL → Duo Proxy → RADIUS Server Here the example. [radius_client] host=<IP of your RADIUS server> secret=xxxxxxxx port=<RADIUS Auth. port of your RADIUS server. Default is 1812.> pass_through_all=true [radius_server_auto] ikey=******************** skey=****************************************…

In your case, there only one active interface and one passive interface. So that the trunk don't care the load balance algorithm. It run for failover/fallback.

Hi @Philodendrin, Policy route takes precedence over 1-1 NAT return route. You need a policy route to overwrite the 1-1 NAT return rotue. Create a WAN Trunk, with WAN1 as active and WAN2 as passive interface. Create a policy route, source IP: private IP of your server, destination IP: any, service: any, Next-hop: the WAN…

Hi @Zolik , Zyxel firewall doesn't support multiple subnets in the same IPSec rule. You need to setup it in separate VPN connection rules but with same Gateway. StrongSwan setting: conn office authby=secret left=%defaultroute leftid=xxxxx leftsubnet=10.1.4.0/24 right=xxxxx rightsubnet=10.54.0.0/22…