VPN between 3 zywalls

You can create 1 tunnel to each location with fixed IP's can't you?

Do you want the 2 offices to be able to see each other? If so then you either need to make a separate tunnel connecting 1 office to the other or you need to setup your IP subnets in such a way that all traffic for the other office goes through the central location first.

Also it's not obvious that you cannot create 2 VPN rules to the same location. In many routers this works. I have setup a VPN where there were 5 separate and distinct tunnel connections between the same 2 routers. If your router supports multiple subnets over the same tunnel, it's actually going to create separate security associations for each subnet pair, but it hides these details from you.

Hello again!

First of all thanks for your answer! Yes, I can create a tunnel to the two offices with fixed, single IPs. It's not necessary that the offices can see each other, but I need to connect to them not only from a single machine in the headquarter. The whole subnet should be able to establish connections to both offices. Thus the local IP adress ranges of the two rules would overlap, and the zywall says, that this is not allowed!

Thanks in advance for any further hints and best Regards

If your branches and head office have conflicting network addresses then the best thing to do is renumber them. It's technically possible to connect multiple subnets with the same remote LAN addresses if you use network address translation but this is a last resort solution. Many networking protocols fail to work under NAT.

You should have a unique address range for every office in your organization. You should also avoid using the very common private ranges used in consumer routers to avoid conflicts with employees home networks if you decide to enable remote access. (Stay far away from

192.168.0.xxx and 192.168.1.xxx) I suggest you use 10.xxx.xxx.xxx for your internal networks. You can vary the second and third sets of numbers for each branch or region.

Hi Mike!

Thanks for your efforts, but i guess we don't talk about the same problem.

The problem is NOT caused by conflicting office subnets. All locations have a unique adress range. Because auf the architecture with a central headquarter and the need to initiate the connection from the offices as well as from the headquarter I have to implement 2 VPN rulez at the headquarter. For both of them the local IP range of course must be the same and exactly this leads to an error during the vpn configuration of the zywall! It says that the local adress ranges of multiple active(!) VPN rules must not overlap.

Best regards, Gert

Sounds like something specific to the implementation of that device. (Unless I'm not understanding your configuration) I have never used that specific equipment but in my experience most VPN routers are very similar conceptually.

Gert,

We've implemented multiple rules like this using ZyXEL ADSL routers which have a similar IPSEC implementation to ZyWALLs without any issues (well, at least not with this issue, anyway).

Ray