Chapter 4 Create Secure Connections Across the Internet
ZyWALL USG 20-2000 User’s Guide
75
• To have all Internet access from the spoke routers to go through the VPN tunnel, set the VPN
rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
• Your firewall rules can still block VPN packets.
• If the ZLD-based ZyWALLs’ VPN tunnels are members of a single zone, make sure it is not set to
block intra-zone traffic.
• The ZyNOS based ZyWALLs don't have user-configured policy routes so the only way to get traffic
destined for another spoke router to go through the ZyNOS ZyWALL's VPN tunnel is to make the
remote policy cover both tunnels.
• Since the ZLD-based ZyWALLs automatically handle the routing for VPN tunnels, if a ZLD-based
ZyWALL ZyWALL is a hub router and the local policy covers both tunnels, the automatic routing
takes care of it without needing a VPN concentrator.
• If a ZyNOS-based ZyWALL’s remote network setting overlaps with its local network settings, set
ipsec swSkipOverlapIp
to
on
to send traffic destined to A’s local network to A’s local network
instead of through the VPN tunnel.
4.4 ZyWALL IPSec VPN Client Configuration Provisioning
VPN configuration provisioning gives ZyWALL IPSec VPN Client users VPN rule settings
automatically.
Figure 31
IPSec VPN Configuration Provisioning Process
1
User Charlotte with the ZyWALL IPSec VPN Client sends her user name and password to the
ZyWALL.
2
The ZyWALL sends the settings for the matching VPN rule.
4.4.1 Overview of What to Do
1
Create a VPN rule on the ZyWALL using the VPN Configuration Provisioning wizard.
2
Configure a username and password for the rule on the ZyWALL.
3
On a computer, use the ZyWALL IPSec VPN Client to get the VPN rule configuration.
Now user Charlotte can access the network behind the ZyWALL through the VPN tunnel.