VPN between 3 zywalls

Archived from groups: comp.dcom.vpn (More info?)

Hi!

Maybe anyone knows a soultion for the following problem:

I want to establish a VPN between a headquarter and 2 offices (3
different IP subnets). Each location uses a zywall as internet router
and firewall.

First, obviously it's impossible to create 2 VPN rules at the
headquarter, each of them connecting to one office, because the local
subnets of the 2 rules would overlap.

On the other side, when I share one VPN rule at the headquarter for
both clients, using 0.0.0.0 for the client IP adress (and vice versa)
as it's described in the zywall documentation, it's only possible to
initiate the connection from the client side. This doesn't cover my
needs. I need to initiate the connection from both sides!

So, are there any other possibilities to master such a scenario with 3
zywalls?

Any help would be greatly appreciated,
best regards, Gert
6 answers Last reply
More about zywalls
  1. Archived from groups: comp.dcom.vpn (More info?)

    Gert Wurzer wrote:
    > Hi!
    >
    > Maybe anyone knows a soultion for the following problem:
    >
    > I want to establish a VPN between a headquarter and 2 offices (3
    > different IP subnets). Each location uses a zywall as internet router
    > and firewall.
    >
    > First, obviously it's impossible to create 2 VPN rules at the
    > headquarter, each of them connecting to one office, because the local
    > subnets of the 2 rules would overlap.
    >
    > On the other side, when I share one VPN rule at the headquarter for
    > both clients, using 0.0.0.0 for the client IP adress (and vice versa)
    > as it's described in the zywall documentation, it's only possible to
    > initiate the connection from the client side. This doesn't cover my
    > needs. I need to initiate the connection from both sides!
    >
    > So, are there any other possibilities to master such a scenario with 3
    > zywalls?
    >
    > Any help would be greatly appreciated,
    > best regards, Gert
    >


    You can create 1 tunnel to each location with fixed IP's can't you?

    Do you want the 2 offices to be able to see each other? If so then you
    either need to make a separate tunnel connecting 1 office to the other
    or you need to setup your IP subnets in such a way that all traffic for
    the other office goes through the central location first.

    Also it's not obvious that you cannot create 2 VPN rules to the same
    location. In many routers this works. I have setup a VPN where there
    were 5 separate and distinct tunnel connections between the same 2
    routers. If your router supports multiple subnets over the same tunnel,
    it's actually going to create separate security associations for each
    subnet pair, but it hides these details from you.

    --
    WARNING! Email address has been altered for spam resistance.
    Please remove the -deletethispart-. section before replying directly.
    Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
  2. Archived from groups: comp.dcom.vpn (More info?)

    Hello again!

    First of all thanks for your answer!
    Yes, I can create a tunnel to the two offices with fixed, single IPs.
    It's not necessary that the offices can see each other, but I need to
    connect to them not only from a single machine in the headquarter. The
    whole subnet should be able to establish connections to both offices.
    Thus the local IP adress ranges of the two rules would overlap, and the
    zywall says, that this is not allowed!

    Thanks in advance for any further hints and best Regards
  3. Archived from groups: comp.dcom.vpn (More info?)

    Gert Wurzer wrote:
    > Hello again!
    >
    > First of all thanks for your answer!
    > Yes, I can create a tunnel to the two offices with fixed, single IPs.
    > It's not necessary that the offices can see each other, but I need to
    > connect to them not only from a single machine in the headquarter. The
    > whole subnet should be able to establish connections to both offices.
    > Thus the local IP adress ranges of the two rules would overlap, and the
    > zywall says, that this is not allowed!
    >
    > Thanks in advance for any further hints and best Regards

    If your branches and head office have conflicting network addresses then
    the best thing to do is renumber them. It's technically possible to
    connect multiple subnets with the same remote LAN addresses if you use
    network address translation but this is a last resort solution. Many
    networking protocols fail to work under NAT.

    You should have a unique address range for every office in your
    organization. You should also avoid using the very common private
    ranges used in consumer routers to avoid conflicts with employees home
    networks if you decide to enable remote access. (Stay far away from
    192.168.0.xxx and 192.168.1.xxx) I suggest you use 10.xxx.xxx.xxx for
    your internal networks. You can vary the second and third sets of
    numbers for each branch or region.

    --
    WARNING! Email address has been altered for spam resistance.
    Please remove the -deletethispart-. section before replying directly.
    Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
  4. Archived from groups: comp.dcom.vpn (More info?)

    Hi Mike!

    Thanks for your efforts, but i guess we don't talk about the same
    problem.

    The problem is NOT caused by conflicting office subnets. All locations
    have a unique adress range.
    Because auf the architecture with a central headquarter and the need to
    initiate the connection from the offices as well as from the
    headquarter I have to implement 2 VPN rulez at the headquarter. For
    both of them the local IP range of course must be the same and exactly
    this leads to an error during the vpn configuration of the zywall! It
    says that the local adress ranges of multiple active(!) VPN rules must
    not overlap.

    Best regards, Gert
  5. Archived from groups: comp.dcom.vpn (More info?)

    Gert Wurzer wrote:
    > Hi Mike!
    >
    > Thanks for your efforts, but i guess we don't talk about the same
    > problem.
    >
    > The problem is NOT caused by conflicting office subnets. All locations
    > have a unique adress range.
    > Because auf the architecture with a central headquarter and the need to
    > initiate the connection from the offices as well as from the
    > headquarter I have to implement 2 VPN rulez at the headquarter. For
    > both of them the local IP range of course must be the same and exactly
    > this leads to an error during the vpn configuration of the zywall! It
    > says that the local adress ranges of multiple active(!) VPN rules must
    > not overlap.
    >
    > Best regards, Gert
    >

    Sounds like something specific to the implementation of that device.
    (Unless I'm not understanding your configuration) I have never used
    that specific equipment but in my experience most VPN routers are very
    similar conceptually.

    --
    WARNING! Email address has been altered for spam resistance.
    Please remove the -deletethispart-. section before replying directly.
    Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
  6. Archived from groups: comp.dcom.vpn (More info?)

    > The problem is NOT caused by conflicting office subnets.
    > All locations have a unique adress range.
    > Because auf the architecture with a central headquarter
    > and the need to initiate the connection from the offices
    > as well as from the headquarter I have to implement 2 VPN
    > rulez at the headquarter. For both of them the local IP
    > range of course must be the same and exactly this leads
    > to an error during the vpn configuration of the zywall!
    > It says that the local adress ranges of multiple
    > active(!) VPN rules must not overlap.

    Gert,

    We've implemented multiple rules like this using ZyXEL ADSL routers
    which have a similar IPSEC implementation to ZyWALLs without any issues
    (well, at least not with this issue, anyway).

    Ray
Ask a new question

Read More

VPN IP Networking