ZyXEL Communications USG 2000 7.6How to Configure User-awareAccess Control

Chapter 7 Tutorials

•To have all Internet access from the spoke routers to go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.

•Your firewall rules can still block VPN packets.

•If the USG ZyWALLs’ VPN tunnels are members of a single zone, make sure it is not set to block intra-zone traffic.

•The ZyNOS based ZyWALLs don't have user-configured policy routes so the only way to get traffic destined for another spoke router to go through the ZyNOS ZyWALL's VPN tunnel is to make the remote policy cover both tunnels.

•Since the USG ZyWALLs automatically handle the routing for VPN tunnels, if a USG ZyWALL is a hub router and the local policy covers both tunnels, the automatic routing takes care of it without needing a VPN concentrator.

•If a ZyNOS-based ZyWALL’s remote network setting overlaps with its local network settings, set ipsec swSkipOverlapIp to on to send traffic destined to A’s local network to A’s local network instead of through the VPN tunnel.

7.6How to Configure User-aware Access Control

You can configure many policies and security settings for specific users or groups of users. This is illustrated in the following example, where you will set up the following policies. This is a simple example that does not include priorities for different types of traffic. See Bandwidth Management on page 523 for more on bandwidth management.

Table 20 User-aware Access Control Example

The users are authenticated by an external RADIUS server at 192.168.1.200.

First, set up the user accounts and user groups in the ZyWALL. Then, set up user authentication using the RADIUS server. Finally, set up the policies in the table above.

The ZyWALL has its default settings.