Only 4 tunnel interfaces possible

Line2
Is there a technical reason why only 4 tunnel interfaces are possible on USG/ZyWALLs? For GRE/IPSec more would be helpful.

  Zyxel_Emily
    Hi @Line2,

    There is no technical reason for the specification about  the current supported tunnel interface number.
    The new IPSec virtual tunnel interface(VTI) is introduced since firmware 4.20, so we suggest you use VTI interface instead of Tunnel interface.
    Compared to GRE with extra GRE header overhead, it is better to use VTI instead of GRE over IPSec. 
    If you still think it is necessary to increase the number of Tunnel interface, please feel free to let us know and we will evaluate the enhancement on this feature.
  Line2

    I know VTI, I set up a lot of VTI/IPSec, between ZyWALLs only, I use most of time VTI and OSPF for dynamic routing. I know the overhead of GRE (24bytes). But there are different restrictions where you can't use VTI ( firewalls without VTI or no VTI with dynamic IPs there, general antipathy for VTI at a lot of firewall admins because of leak difficulty...).
    Thats the same reason why I made a feature request to support OSPF on GRE interfaces. By the way a loopback interface on ZyWALLs would be handy for such things too ;-)

  Zyxel_Emily

    Hi @Line2,

    Thanks for your suggestion.

    I would like to move your request to the ideas section.

  Line2
    ok, if it helps :-)
  Line2
    thank you
  Kade
    One feature that I would like to add is to have the ability to encrypt the GRE tunnel with IPsec to make it secure for routing packet between site.
  Zyxel_Vic
    Hi @Kade
    I added your request into the idea post Emily created, too. 

    Here the idea post.
  alexey


    We want to start using GRE over ipsec on our sites with old USG1000, that don't support VTI for autodisables routes, and 4 GREs are too small for ours needs.

    Will you realize more GRE in the future and will beta FW availble for test?

  Zyxel_Stanley

    USG1000 does not support GRE over IPSec.

    You can consider for USG1100 or VPN300 which support GRE over IPSec function.

