ZyXEL Communications USG 2000 7.5.0.1Hub-and-spokeVPN Requirements and Suggestions

Chapter 7 Tutorials

•My Address: 10.0.0.1

•Peer Gateway Address: 10.0.0.2

VPN Connection (VPN Tunnel 1):

•Local Policy: 192.168.168.0~192.168.169.255

•Remote Policy:192.168.167.0/255.255.255.0

•Disable Policy Enforcement

VPN Gateway (VPN Tunnel2):

•My Address: 10.0.0.1

•Peer Gateway Address: 10.0.0.3

VPN Connection (VPN Tunnel 2):

•Local Policy: 192.168.167.0~192.168.168.255

•Remote Policy: 192.168.169.0/255.255.255.0

•Disable Policy Enforcement

Branch Office B (ZyWALL USG):

VPN Gateway:

•My Address: 10.0.0.3

•Peer Gateway Address: 10.0.0.1

VPN Connection:

•Local Policy: 192.168.169.0/255.255.255.0

•Remote Policy: 192.168.167.0~192.168.168.255

•Disable Policy Enforcement

Consider the following when implementing a hub-and-spoke VPN.

•This example uses a wide range for the ZyNOS-based ZyWALL’s remote network, to use a narrower range, see Section 25.4.1 on page 465 for an example of configuring a VPN concentrator.

•The local IP addresses configured in the VPN rules should not overlap.

•The hub router must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule.