ZyXEL Communications ZYWALL 70 - V4.04 Betriebsanweisung PDF herunterladen (Seite 101)

Appendix 9 IPSec IP Overlap Support

ZyWALL B

IP Alias

1.1.2.0/24

LAN

1.1.1.0/24

LAN

1.1.2.0/28

WAN

1.1.1.33

1.1.2.250

ZyWALL A

Figure 1

The ZyWALL uses the network policy to decide if the traffic matches a VPN rule. But

if the ZyWALL finds that the traffic whose local address overlaps with the remote address

range, it will be confused if it needs to trigger the VPN tunnel or just route this packet.

So we provide a CI command “ipsec swSkipOverlapIp” to trigger the VPN rule. For

example, you configure a VPN rule on the ZyWALL A as below:

Local IP Address Start= 1.1.1.1 End= 1.1.2.254

Remote IP Address Start= 1.1.2.240 End = 1.1.2.254

You can see that the Local IP Address and the remote IP address overlap in the range from 1.1.2.240 to

1.1.2.254.

(1) Enter “ipsec swSkipOverlapIp off”:

To trigger the tunnel for packets from 1.1.1.33 to 1.1.2.250. If there is traffic from

LAN to IP Alias (Like the traffic from PC

to PC

in Figure 1), the traffic still will

be encrypted as VPN traffic and routed to WAN, you will find their traffic

disappears on LAN.

(2) Enter “ipsec swSkipOverlapIp on”:

Not to trigger the tunnel for packets from 1.1.1.33 to 1.1.2.250. Even the tunnel has

been built up, the traffic in this overlapped range still cannot be passed.

[Note]

If you configure a rule on the ZyWALL A whose

Local IP Address Start= 0.0.0.0

Remote IP Address Start= 1.1.2.240 End = 1.1.2.254

No matter swSkipOverlapIp is on or off, any traffic from any interfaces on the

ZyWALL A will match the tunnel. Thus swSkipOverlapIp is not applicable in this

case.

1 2 ... 96 97 98 99 100 101 102 103 104 105 106 ... 111 112

Keine Kommentare

ZyXEL Communications ZYWALL 70 - V4.04 Betriebsanweisung Seite 101