ZyXEL Communications ZyWALL Series Support Note page 29

Scenario 5 – Dynamic users communicate with HQ
and all branch offices by using auto created VPN
routes
5.1 Application Scenario
For world-wide enterprises, network communication between each branch and the
headquarter office is very important. A VPN concentrator combines several IPSec VPN
connections into one secure network for site-to-site VPN and reduces the number of
VPN connections that need to be set up and maintained in the network. However a VPN
concentrator is not suitable for every situation, many companies have several mobile
users, travelers who are not located in a fixed office. When the network receives traffic
from these dynamic users, we cannot know their subnets or IP addresses in advance.
Supposing a company has a headquarter and two branch offices. Two VPN tunnels are
built up, each between the HQ and one of the branch offices. Undoubtedly, road
warriors and telecommuters can access network of HQ and branch offices respectively
by building IPSec VPN tunnel to each office. However, it is inconvenient and inefficient
for mobile users to disconnect one VPN tunnel and then connect to another VPN tunnel
if they just want to access some resource of branch office 1 while they're accessing
resources of the HQ. How to let mobile users access the networks of HQ and branch
offices at the same time with just one VPN tunnel? Now, you can achieve this goal via an
"Auto-created VPN Route". If the subnets are aggregated, auto created VPN routes can
achieve this request without VPN concentrator rules.