Chapter 7 Tutorials
ZyWALL USG 100/200 Series User’s Guide
146
7.5.3 Configure Security Policies for the VPN Tunnel
You configure security policies based on zones. The new VPN connection was
assigned to the IPSec_VPN zone. By default, there are no security restrictions on
the IPSec_VPN zone, so, next, you should set up security policies (firewall rules,
IDP, and so on) that apply to the IPSec_VPN zone. Make sure all firewalls between
the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50
(AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL
and remote IPSec router should also allow UDP port 4500.
7.6 How to Configure a Hub-and-spoke IPSec
VPN Without a VPN Concentrator
A hub-and-spoke IPSec VPN connects IPSec VPN tunnels to form one secure
network. This reduces the number of VPN connections that you have to set up and
maintain in the network. Here is an example of a hub-and-spoke VPN that does
not use the ZyWALL’s VPN concentrator feature. Here branch office A has a
ZyNOS-based ZyWALL and headquarters (HQ) and branch office B have USG
ZyWALLs or ZyWALL 1050s.
• Branch office A’s ZyWALL uses one VPN rule to access both the headquarters
(HQ) network and branch office B’s network.
• Branch office B’s ZyWALL uses one VPN rule to access both the headquarters
and branch office A’s networks.
Figure 101 Hub-and-spoke VPN Example
This hub-and-spoke VPN example uses the following settings.
Branch Office A (ZyNOS-based ZyWALL):
Gateway Policy (Phase 1)
To Next Page
Loading...
