ZyXEL Communications USG 300 7.6How to Configure a Hub-and-spokeIPSec VPN Without a VPN Concentrator, 7.5.3 Configure Security Policies for the VPN Tunnel

Chapter 7 Tutorials

7.5.3 Configure Security Policies for the VPN Tunnel

You configure security policies based on zones. Assign the new VPN connection to a zone to be able to apply security policies (firewall rules, IDP, and so on) to the VPN connection. Make sure all firewalls between the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500.

7.6How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator

A hub-and-spoke IPSec VPN connects IPSec VPN tunnels to form one secure network. This reduces the number of VPN connections that you have to set up and maintain in the network. Here is an example of a hub-and-spoke VPN that does not use the ZyWALL’s VPN concentrator feature. Here branch office A has a ZyNOS-based ZyWALL and headquarters (HQ) and branch office B have USG ZyWALLs.

•Branch office A’s ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch office B’s network.

•Branch office B’s ZyWALL uses one VPN rule to access both the headquarters and branch office A’s networks.

Figure 99 Hub-and-spoke VPN Example

This hub-and-spoke VPN example uses the following settings.

Branch Office A (ZyNOS-based ZyWALL):

Gateway Policy (Phase 1)