presales - zywall 110 -extra licenses needed?
Hello,
I'm looking at a ZyWall 110 to replace cisco rv320
The main purpose is to provide:
- 1 site to site VPN (zywall at each end)
- about 10 concurrent client to site VPN connections
The specs state there are 5 SSL VPN licenses bundled.
further it says the client to site uses IPSEC VPN.
Do concurrent IPSEC connections require licenses ? or put differently, do the roaming users need licenses?
best regards
glenn
All Replies
-
AFAIK the Zyxel-branded Windows IPSec Client require to buy a license, which is really easy to configure via auto-provisioning. But if you already have an IPSec Client you can configure it to dialog between your computer and Zyxel devices.
There's also a SSL client called "SecuExtender" which should still be free of charge on Windows but a license is needed for MacOSX
Last but not least, there's L2TP over IPSec option, which is inclued in most modern OS. In Windows is not so hard to configure, but you have to tweak the registry for double-nat scenario (NAT on both client and server side).
AFAIK biggest limitation of L2TP is you cannot have two different IKE gateways allowing L2TP simultaneously. If your roaming users have different profiles to access or rules of management, L2TP do not fit the case, you should split the profiles to L2TP and SSL VPN. (firewall user-based rules are still possible for limitations on network access, but you cannot change network topology between different users)
Until now I never used other software IPSec clients with Zyxel devices, but should assume that what be that hard to configure, Zyxel IPSec at least was a rebrand of GreenBow. So maybe other alternatives could work with appliances, event the built-in Windows IPSec Client.
0 -
Thanks for your reply
- "AFAIK the Zyxel-branded Windows IPSec Client require to buy a license"
I understand this to be a license on the client machine, not on the zyxel router, correct?
- the secuextender would use one of the ssl router licenses
I'd rather not to the "tweaking" ways - there lies supporting user madness :)
best regards
0 -
I understand this to be a license on the client machine, not on the zyxel router, correct?
AFAIK yes.
I'd rather not to the "tweaking" ways - there lies supporting user madness :)
It's documented also by Zyxel and it works, Windows unfortunately assume that if you use a L2TP connection your device and your endpoint (Zyxel device) is on a public ip, not behind a NAT router. In europe is quite common to be behind one or more NAT devices before get to the internet.
So the registry tweak tell Windows "hey buddy, you and your counterpart are behind a NAT router, so play it along!".
Nothing more, nothing less, unfortunately Microsoft didn't put the setting into a panel (since Windows XP)
0 -
Hi @glenndm,
The maximum concurrent IPsec VPN tunnels on ZyWALL 110 is 100 which includes site-to-site VPN, L2TP over IPSec VPN and client-to-site IPSec VPN.
You need valid license key to activate ZyWALL IPSec VPN client on Windows.
The maximum concurrent SSL VPN user is 25 by default. It supports up to 150 concurrent SSL VPN users with SSL VPN service license.
For Windows- The SSL VPN client "SecuExtender_Windows" is a free software.
For macOS- You need valid license key to activate SSL VPN cient "SecuExtender_MacOS".
Here is the specification of ZyWALL 110 for your reference.
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 391 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 220 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
