ZyXEL Communications 1000 User Manual
Chapter 25 IPSec VPN
ZyWALL USG 1000 User’s Guide
465
25.4 VPN Concentrator
A VPN concentrator combines several IPSec VPN connections into one secure
network.
network.
Figure 333 VPN Topologies (Fully Meshed and Hub and Spoke)
In a fully-meshed VPN topology (1 in the figure), there is a VPN connection
between every pair of routers. In a hub-and-spoke VPN topology (2 in the figure),
there is a VPN connection between each spoke router (B, C, D, and E) and the hub
router (A), which uses the VPN concentrator. The VPN concentrator routes VPN
traffic between the spoke routers and itself.
between every pair of routers. In a hub-and-spoke VPN topology (2 in the figure),
there is a VPN connection between each spoke router (B, C, D, and E) and the hub
router (A), which uses the VPN concentrator. The VPN concentrator routes VPN
traffic between the spoke routers and itself.
A VPN concentrator reduces the number of VPN connections that you have to set
up and maintain in the network. You might also be able to consolidate the policy
routes in each spoke router, depending on the IP addresses and subnets of each
spoke.
up and maintain in the network. You might also be able to consolidate the policy
routes in each spoke router, depending on the IP addresses and subnets of each
spoke.
However a VPN concentrator is not for every situation. The hub router is a single
failure point, so a VPN concentrator is not as appropriate if the connection
between spoke routers cannot be down occasionally (maintenance, for example).
There is also more burden on the hub router. It receives VPN traffic from one
spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it,
and sends it to the appropriate spoke. Therefore, a VPN concentrator is more
suitable when there is a minimum amount of traffic between spoke routers.
failure point, so a VPN concentrator is not as appropriate if the connection
between spoke routers cannot be down occasionally (maintenance, for example).
There is also more burden on the hub router. It receives VPN traffic from one
spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it,
and sends it to the appropriate spoke. Therefore, a VPN concentrator is more
suitable when there is a minimum amount of traffic between spoke routers.
25.4.1 IPSec VPN Concentrator Example
You can use the ZyWALL’s VPN concentrator feature to combine multiple IPSec
VPN connections into one secure network. In this example branch office A,
headquarters (HQ), and branch office B all have USG ZyWALLs.
VPN connections into one secure network. In this example branch office A,
headquarters (HQ), and branch office B all have USG ZyWALLs.
1
2