Only 4 tunnel interfaces possible

Line2Line2 Member Posts: 40  Freshman Member
Is there a technical reason why only 4 tunnel interfaces are possible on USG/ZyWALLs? For GRE/IPSec more would be helpful.

Accepted Solution

All Replies

  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 540  mod
    Hi @Line2,

    There is no technical reason for the specification about  the current supported tunnel interface number.
    The new IPSec virtual tunnel interface(VTI) is introduced since firmware 4.20, so we suggest you use VTI interface instead of Tunnel interface.
    Compared to GRE with extra GRE header overhead, it is better to use VTI instead of GRE over IPSec. 
    If you still think it is necessary to increase the number of Tunnel interface, please feel free to let us know and we will evaluate the enhancement on this feature.
  • Line2Line2 Member Posts: 40  Freshman Member

    I know VTI, I set up a lot of VTI/IPSec, between ZyWALLs only, I use most of time VTI and OSPF for dynamic routing. I know the overhead of GRE (24bytes). But there are different restrictions where you can't use VTI (3.party firewalls without VTI or no VTI with dynamic IPs there, general antipathy for VTI at a lot of firewall admins because of leak difficulty...).
    Thats the same reason why I made a feature request to support OSPF on GRE interfaces. By the way a loopback interface on ZyWALLs would be handy for such things too ;-)

  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 540  mod

    Hi @Line2,


    Thanks for your suggestion.

    I would like to move your request to the ideas section.

  • Line2Line2 Member Posts: 40  Freshman Member
    ok, if it helps :-)
  • Line2Line2 Member Posts: 40  Freshman Member
    thank you
  • KadeKade Member Posts: 8
    One feature that I would like to add is to have the ability to encrypt the GRE tunnel with IPsec to make it secure for routing packet between site.
  • Zyxel_VicZyxel_Vic Zyxel Official Agent Posts: 145  mod
    Hi @Kade
    I added your request into the idea post Emily created, too. 

    Here the idea post.
  • alexeyalexey Member Posts: 98  Ally Member

    Hi.

    We want to start using GRE over ipsec on our sites with old USG1000, that don't support VTI for autodisables routes, and 4 GREs are too small for ours needs.

    Will you realize more GRE in the future and will beta FW availble for test?

  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 716  mod

    USG1000 does not support GRE over IPSec.

    You can consider for USG1100 or VPN300 which support GRE over IPSec function.


Sign In to comment.