ZyXEL 2WG Guia Do Utilizador
Chapter 15 IPSec VPN Screens
ZyWALL 2WG User’s Guide
329
Rule 1:
• Remote Gateway: 10.0.0.2
• Local IP address: 192.168.168.0~192.168.169.255
• Remote IP address:192.168.167.0/255.255.255.0
• Local IP address: 192.168.168.0~192.168.169.255
• Remote IP address:192.168.167.0/255.255.255.0
Rule 2:
• Remote Gateway: 10.0.0.3
• Local IP address: 192.168.167.0~192.168.168.255
• Remote IP address: 192.168.169.0/255.255.255.0
• Local IP address: 192.168.167.0~192.168.168.255
• Remote IP address: 192.168.169.0/255.255.255.0
Branch Office B:
• Remote Gateway: 10.0.0.1
• Local IP address: 192.168.169.0/255.255.255.0
• Remote IP address: 192.168.167.0~192.168.168.255
• Local IP address: 192.168.169.0/255.255.255.0
• Remote IP address: 192.168.167.0~192.168.168.255
15.9.3 Hub-and-spoke VPN Requirements and Suggestions
Consider the following when implementing a hub-and-spoke VPN.
The local IP addresses configured in the VPN rules cannot overlap
The hub router must have at least one separate VPN rule for each spoke. In the local IP
address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be
able to have a VPN tunnel. This may require you to use more than one VPN rule.
If you want to have the spoke routers access the Internet through the hub-and-spoke VPN
tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
Make sure that your From VPN and To VPN firewall rules do not block the VPN packets.
The local IP addresses configured in the VPN rules cannot overlap
The hub router must have at least one separate VPN rule for each spoke. In the local IP
address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be
able to have a VPN tunnel. This may require you to use more than one VPN rule.
If you want to have the spoke routers access the Internet through the hub-and-spoke VPN
tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
Make sure that your From VPN and To VPN firewall rules do not block the VPN packets.
15.10 VPN Troubleshooting
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of
the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers.
Check the settings in each field methodically and slowly.
the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers.
Check the settings in each field methodically and slowly.
VPN Log
The system log can often help to identify a configuration problem.
Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both
ends, clear the log and then build the tunnel.
View the log via the web configurator LOGS View Log screen or type
Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both
ends, clear the log and then build the tunnel.
View the log via the web configurator LOGS View Log screen or type
sys log disp
from
SMT Menu 24.8. See
for information on the log messages.