Chapter 4 Create Secure Connections Across the Internet

ZyWALL USG 20-2000 User’s Guide

75

• To have all Internet access from the spoke routers to go through the VPN tunnel, set the VPN 

rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. 

• Your firewall rules can still block VPN packets.
• If the ZLD-based ZyWALLs’ VPN tunnels are members of a single zone, make sure it is not set to 

block intra-zone traffic.

• The ZyNOS based ZyWALLs don't have user-configured policy routes so the only way to get traffic 

destined for another spoke router to go through the ZyNOS ZyWALL's VPN tunnel is to make the 
remote policy cover both tunnels. 

• Since the ZLD-based ZyWALLs automatically handle the routing for VPN tunnels, if a ZLD-based 

ZyWALL ZyWALL is a hub router and the local policy covers both tunnels, the automatic routing 
takes care of it without needing a VPN concentrator.

• If a ZyNOS-based ZyWALL’s remote network setting overlaps with its local network settings, set 

ipsec swSkipOverlapIp

 to 

on

 to send traffic destined to A’s local network to A’s local network 

instead of through the VPN tunnel.

4.4  ZyWALL IPSec VPN Client Configuration Provisioning

VPN configuration provisioning gives ZyWALL IPSec VPN Client users VPN rule settings 
automatically.

Figure 31   

IPSec VPN Configuration Provisioning Process

1

User Charlotte with the ZyWALL IPSec VPN Client sends her user name and password to the 
ZyWALL.

2

The ZyWALL sends the settings for the matching VPN rule.

4.4.1  Overview of What to Do

1

Create a VPN rule on the ZyWALL using the VPN Configuration Provisioning wizard.

2

Configure a username and password for the rule on the ZyWALL.

3

On a computer, use the ZyWALL IPSec VPN Client to get the VPN rule configuration.

Now user Charlotte can access the network behind the ZyWALL through the VPN tunnel.