Chapter 19 IPSec VPN
ZyWALL 5/35/70 Series User’s Guide
380
Local and Remote IP Address Conflict Resolution
Normally, you do not configure your local VPN policy rule’s IP addresses to overlap with the
remote VPN policy rule’s IP addresses. For example, you usually would not configure both
with 192.168.1.0. However, overlapping local and remote network IP addresses can occur
with dynamic VPN rules or IP alias.
Dynamic VPN Rule
Local and remote network IP addresses can overlap when you configure a dynamic VPN rule
for a remote site (see Figure 217). For example, when you configure ZyWALL X, you
configure the local network as 192.168.1.0/24 and the remote network as any (0.0.0.0). The
“any” includes all possible IP addresses. It will forward traffic from network A to network B
even if both the sender (for example 192.168.1.8) and the receiver (for example 192.168.1.9)
are in network A. Note that the remote access can still use the VPN tunnel to access computers
on ZyWALL X’s network.
Figure 217 Overlap in a Dynamic VPN Rule
• Setting Local and Remote IP Address Conflict Resolution to The Local Network
has the ZyWALL X check if a packet’s destination is also at the local network before
forwarding the packet. If it is, the ZyWALL sends the traffic to the local network.
• Setting Local and Remote IP Address Conflict Resolution to The Remote
Network disables the checking for local network IP addresses.
IP Alias
You could have an IP alias network that overlaps with the VPN remote network (see Figure
218). For example, you have an IP alias network M (10.1.2.0/24) in ZyWALL X’s LAN. For
the VPN rule, you configure the VPN network as follows.
• Local IP address start: 192.168.1.1, end: 192.168.1.254
• Remote IP address start: 10.1.2.240, end: 10.1.2.254
• IP addresses 10.1.2.240 to 10.1.2.254 overlap.
192.168.1.0/24
0.0.0.0
To Next Page
Loading...
