Chapter 14 IPSec VPN
14.18.1 Telecommuters Sharing One VPN Rule ExampleSee the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a ZyWALL at headquarters (HQ in the figure). The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers. The telecommuters must all use the same IPSec parameters but the local IP addresses (or ranges of addresses) should not overlap.
Figure 216 Telecommuters Sharing One VPN Rule Example
Table 95 Telecommuters Sharing One VPN Rule Example
FIELDS | TELECOMMUTERS | HEADQUARTERS | |
My ZyWALL: | 0.0.0.0 (dynamic IP address | Public static IP address | |
| assigned by the ISP) |
|
|
|
|
|
|
Remote Gateway | Public static IP address | 0.0.0.0 | With this IP address only |
Address: |
| the telecommuter can initiate the | |
|
| IPSec tunnel. | |
|
|
| |
Local Network - Single | Telecommuter A: 192.168.2.12 | 192.168.1.10 | |
IP Address: | Telecommuter B: 192.168.3.2 |
|
|
| Telecommuter C: 192.168.4.15 |
|
|
|
|
| |
Remote Network - | 192.168.1.10 | Not Applicable | |
Single IP Address: |
|
|
|
|
|
|
|
In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this).
With aggressive negotiation mode (see Section 14.3.1.4 on page 308), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters. They can use different IPSec parameters. The local IP addresses (or ranges of addresses) of the rules configured on the ZyWALL at headquarters can overlap. The local IP addresses of the rules configured on the telecommuters’ IPSec routers should not overlap.
342 |
| |
ZyWALL 2WG User’s Guide |
| |
|
|
|