Hub-And-Spoke Ipsec Vpn Without Vpn Concentrator - ZyXEL Communications ZyWALL USG Series Application Notes

Consider the following when using the VPN concentrator .
• The local IP addresses configured in the VPN rules should not overlap.
• The concentrator must have at least one separate VPN rule for each spoke. In the local policy,
specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel.
This may require you to use more than one VPN rule for each spoke.
• T o have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in
the spoke routers to use 0.0.0.0 (any) as the remote IP address.
• Your firewall rules can still block VPN packets.
• If on a USG USG or USG 1050 the concentrator's VPN tunnels are members of a single zone, make
sure it is not set to block intra-zone traffic.

3.3 Hub-and-spoke IPSec VPN Without VPN Concentrator

Here is an example of a hub-and-spoke VPN that does not use the USG's VPN concentrator feature.
Here branch office A has a ZyNOS-based USG and headquarters (HQ) and branch office B have
ZLD-based USGs.
• Branch A's USG uses one VPN rule to access both the headquarters (HQ) network and branch
B's network.
• Branch B's USG uses one VPN rule to access both the headquarters and branch A's networks.
Figure 30
This hub-and-spoke VPN example uses the following settings.
Branch Office A (ZyNOS-based USG):
Gateway Policy (Phase 1):
• My Address: 10.0.0.2
• Primary Remote Gateway: 10.0.0.1
Network Policy (Phase 2): Local Network: 192.168.167.0/255.255.255.0; Remote Network:
192.168.168.0~192.168.169.255
Headquarters (ZLD-based USG):
VPN Gateway (VPN Tunnel 1):
Hub-and-spoke VPN Example
140