ZyXEL Communications 4.04 User Manual

Chapter 16 IPSec Commands

ZyWALL (ZyNOS) CLI Reference Guide

Normally, we don't configure the local VPN policy rule’s IP addresses to overlap with the 
remote VPN policy rule’s IP addresses. For example, we don't configure both with 
192.168.1.0. However, overlapping local and remote network IP addresses can occur in the 
following cases.

1 You configure a dynamic VPN rule for a remote site. (See 

.) 

For example, when you configure the ZyWALL X, you configure the local network as 
192.168.1.0 and the remote network as any (0.0.0.0). The “any” includes all possible IP 
addresses. It will forward traffic from network A to network B even if both the sender (ex. 
192.168.1.8) and the receiver (ex. 192.168.1.9) are in network A.

Figure 4   Dynamic VPN Rule 

Using the command ipsec swSkipOverlapIp on has ZyWALL X check if a 
packet’s destination is also at the local network before forwarding the packet. If it is, the 
ZyWALL sends the traffic to the local network. Setting  ipsec swSkipOverlapIp to 
off

 disables the checking for local network IP addresses.

2 You configure an IP alias network that overlaps with the VPN remote network. (See 

For example, you have an IP alias network M (10.1.2.0/24) in ZyWALL X’s LAN. For the 
VPN rule, you configure the VPN network as follows.

• Local IP address start: 192.168.1.1, end: 192.168.1.254

• Remote IP address start: 10.1.2.240, end: 10.1.2.254

IP address 10.1.2.240 to 10.1.2.254 overlap. 

Figure 5   IP Alias