SearchSearch   ProfileProfile   Log inLog in   RegisterRegister 

VPN to FirstSpot through Zywall-2 firewall

 
Post new topic   Reply to topic    FirstSpot Forum Index -> Pre-sales Support Forum
View previous topic :: View next topic  
Author Message
Anchorline



Joined: 14 Mar 2005
Posts: 9
Location: Toronto, Canada

PostPosted: Mon Feb 27, 2006 7:55 pm    
Post subject: VPN to FirstSpot through Zywall-2 firewall

Hi,

Anyone ever use Zywall-2 firewalls to establish a site-to-site VPN from remote sites to a central FirstSpot server?

I want remote sites to be able to use the Internet through a FirstSpot server behind one Zywall, and am not sure how to set up the VPN.....FirstSpot has two NICs, the CT one attached to the Zywall and the MTD one going back to the Internet....

Any help would be appreciated.

Thanks,

Sheri
_________________
Anchorline Wireless Internet
www.anchorline.net
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4381

PostPosted: Tue Feb 28, 2006 3:21 am    
Post subject:

I don't think you can setup Scenario 3 using Zywall-2. Zywall 10 will be a better bet.

The key feature for Scenario 3 ( see http://www.patronsoft.com/firstspot/topologies.html ) is non-split tunnel. Basically, you need to force all traffic to FirstSpot (using VPN) before reaching the Internet at large.

For definition of split tunnel, please check out http://www142.nortelnetworks.com/bvdoc/contivity/doc_html/315899A00/chapte7a.htm . Non-split tunnel is just the opposite of split tunnel.
_________________
~ Patronsoft Limited ~
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4381

PostPosted: Tue Feb 28, 2006 4:31 pm    
Post subject:

For information about setting up non-split tunnel using Zywall, please check out:

http://www.zyxel.com/web/support_knowledgebase_detail.php?KnowledgeBaseID=572&pid=20041216174151

Excerpt of the article:

How can I redirect 'All' Internet traffic over VPN tunnel?
Article ID: 572
Views: 62
Type: App/Conf Example
Firmware: 3.64 , 3.65 , 3.63 , 4.00


Problem:
If I have two VPN endpoints, say site A and site B. How can I send All Internet traffic from site A to site B over the VPN tunnel
and then let site B further redirect the traffic to Internet?


Solution:
The key point for this is to include all of the Internet
IP address in Remote network section of VPN policy in
site A.

You can edit VPN rules as the following,
================
Branch Office

Menu 27.1.1 - IPSec Setup

Index #= 1 Name= zw50_a-zw10II_a Tunnel
Active= Yes Keep Alive= No Nat Traversal= No
Local ID type= IP Content= 24.0.0.2
My IP Addr= 24.0.0.2
Peer ID type= IP Content= 24.0.0.1
Secure Gateway Addr= 24.0.0.1
Protocol= 0
Local: Addr Type= SUBNET
IP Addr Start= 192.168.2.0
End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Remote: Addr Type= SUBNET
IP Addr Start= 0.0.0.0
End/Subnet Mask= 0.0.0.0
Port Start= 0 End= N/A
Enable Replay Detection= No
Key Management= IKE
Edit Key Management Setup= No

Press ENTER to Confirm or ESC to Cancel:

note: Make sure you issue CI command "ipsec swSkipOverlapIp on" in SMT menu 24, otherwise you may have problem access your local LAN network.
================
Central Office

Menu 27.1.1 - IPSec Setup

Index #= 1 Name= zw50_a-zw10II_a Tunnel
Active= Yes Keep Alive= No Nat Traversal= No
Local ID type= IP Content= 24.0.0.1
My IP Addr= 24.0.0.1
Peer ID type= IP Content= 24.0.0.2
Secure Gateway Addr= 24.0.0.2
Protocol= 0
Local: Addr Type= SUBNET
IP Addr Start= 0.0.0.0
End/Subnet Mask= 0.0.0.0
Port Start= 0 End= N/A
Remote: Addr Type= SUBNET
IP Addr Start= 192.168.2.0
End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Enable Replay Detection= No
Key Management= IKE
Edit Key Management Setup= No

Press ENTER to Confirm or ESC to Cancel:


In the example, you can see that we input 0.0.0.0 in the IP
address start field. In old firmeware, you can't do that.
Because 0.0.0.0 was forbidden. We have this enhanced after V3.52
major release.

For old VPN code, there is another work around.

Please use

Addr Type= RANGE
IP Addr Start= 0.0.0.1
End/Subnet Mask= 255.255.255.255



(Zywall 2 might work but we never test it, so you need to confirm with Zyxel.)
_________________
~ Patronsoft Limited ~


Last edited by alan on Thu Jun 29, 2006 4:46 am; edited 1 time in total
Back to top
CyberElements



Joined: 28 Nov 2005
Posts: 64
Location: Ellensburg, WA USA

PostPosted: Tue Feb 28, 2006 6:36 pm    
Post subject:

So, in order to do sinario #3 you HAVE TO use a VPN?
_________________
Tim Reed
Owner
Cyber Elements WISP
Ellensburg, WA USA
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4381

PostPosted: Wed Mar 01, 2006 12:32 am    
Post subject:

No. Either you have control on the outgoing Internet path, or you use VPN to mimic it.

Refer to http://www.patronsoft.com/firstspot/topologies.html for details.
_________________
~ Patronsoft Limited ~
Back to top
CyberElements



Joined: 28 Nov 2005
Posts: 64
Location: Ellensburg, WA USA

PostPosted: Wed Mar 01, 2006 1:51 am    
Post subject: Topography #3 w/o VPN

Well i've been in contact with my Internet feed.... I'm hoping they're right, which I'm sure they are... i'm going to try using my managed switch and some Cisco 1721's (routers) ... so it would be like in the picture. Hope it all works :)

BTW still not used full 4.0 yet, cause am moving into my apartment tomorrow (very excited) and that will be the central server location :)

Hope all works well.
_________________
Tim Reed
Owner
Cyber Elements WISP
Ellensburg, WA USA
Back to top
Display posts from previous:   
Post new topic   Reply to topic    FirstSpot Forum Index -> Pre-sales Support Forum All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group