ZyXEL Communications ZyWALL 1000 20.5 VPN Concentrator

Chapter 20 IPSec VPN

Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued)

20.5 VPN Concentrator

A VPN concentrator combines several VPN connections into one secure network. Figure 207 on page 318 shows an example of this, as well as one alternative approach.

Figure 207 VPN Topologies

12

The VPN concentrator is used in the second approach. In the first (fully-meshed) approach, there is a VPN connection between every pair of routers. In the second (hub-and-spoke) approach, there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A), which uses the VPN concentrator. The VPN concentrator routes VPN traffic between the spoke routers and itself.

The biggest advantage of a VPN concentrator is that it reduces the number of VPN connections that you have to set up and maintain in the network. You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke.

You should not use a VPN concentrator in every situation, however. The hub router is a single point of failure, so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally (maintenance, for example). In addition, there is a significant burden on the hub router. It receives VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers.