ZyXEL Communications ZyWALL 300 20.5 VPN Concentrator

Chapter 20 IPSec VPN

Table 96 VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL	DESCRIPTION
Password	This field is required if the ZyWALL is in Client Mode for extended authentication.
	Type the password the ZyWALL sends to the remote IPSec router. The password
	can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed.

Apply	Click Apply to save your changes in the ZyWALL.

Cancel	Click Cancel to exit this screen without saving.

20.5 VPN Concentrator

A VPN concentrator combines several VPN connections into one secure network. Figure 207 on page 318 shows an example of this, as well as one alternative approach.

Figure 207 VPN Topologies

The VPN concentrator is used in the second approach. In the first (fully-meshed) approach, there is a VPN connection between every pair of routers. In the second (hub-and-spoke) approach, there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A), which uses the VPN concentrator. The VPN concentrator routes VPN traffic between the spoke routers and itself.

The biggest advantage of a VPN concentrator is that it reduces the number of VPN connections that you have to set up and maintain in the network. You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke.

You should not use a VPN concentrator in every situation, however. The hub router is a single point of failure, so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally (maintenance, for example). In addition, there is a significant burden on the hub router. It receives VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers.

318
318	ZyWALL USG 300 User’s Guide