ZyXEL Communications ZyWALL USG Series Application Notes page 142

Unified security gateway

Hide thumbs Also See for ZyWALL USG Series:

Reference manual (426 pages)

Application note (184 pages)

User manual (150 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

page of 187

/ 187
Contents
Table of Contents
Bookmarks

Table of Contents

• My Address: 10.0.0.1

• Peer Gateway Address: 10.0.0.2

VPN Connection (VPN Tunnel 1):

• Local Policy: 192.168.168.0~192.168.169.255

• Remote Policy: 192.168.167.0/255.255.255.0

• Disable Policy Enforcement

VPN Gateway (VPN Tunnel 2):

• My Address: 10.0.0.1

• Peer Gateway Address: 10.0.0.3

VPN Connection (VPN Tunnel 2):

• Local Policy: 192.168.167.0~192.168.168.255

• Remote Policy: 192.168.169.0/255.255.255.0

• Disable Policy Enforcement

Branch Office B (ZLD-based USG):

VPN Gateway:

• My Address: 10.0.0.3

• Peer Gateway Address: 10.0.0.1

VPN Connection:

• Local Policy: 192.168.169.0/255.255.255.0

• Remote Policy: 192.168.167.0~192.168.168.255

• Disable Policy Enforcement

3.3.1 What Can Go Wrong

Consider the following when implementing a hub-and-spoke VPN.

• This example uses a wide range for the ZyNOS-based USG's remote network, to use a narrower

range.

• The local IP addresses configured in the VPN rules should not overlap.

• The hub router must have at least one separate VPN rule for each spoke. In the local policy ,

specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to

have a VPN tunnel. This may require you to use more than one VPN rule.

• T o have all Internet access from the spoke routers to go through the VPN tunnel, set the VPN

rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.

• Your firewall rules can still block VPN packets.

• If the ZLD-based USGs' VPN tunnels are members of a single zone, make sure it is not set to block

intra-zone traffic.

• The ZyNOS based USGs don't have user-configured policy routes so the only way to get traffic

destined for another spoke router to go through the ZyNOS USG's VPN tunnel is to make the remote

policy cover both tunnels.

• Since the ZLD-based USGs automatically handle the routing for VPN tunnels, if a ZLD-based USG

USG is a hub router and the local policy covers both tunnels, the automatic routing takes care of

it without needing a VPN concentrator .

141

Table of Contents

ZyXEL Communications ZyWALL USG Series Application Notes page 142

Related Manuals for ZyXEL Communications ZyWALL USG Series

Related Products for ZyXEL Communications ZyWALL USG Series

Table of Contents