Only 4 tunnel interfaces possible

Line2
Line2 Posts: 40  Freshman Member
First Anniversary Friend Collector First Answer First Comment
edited April 2021 in Security
Is there a technical reason why only 4 tunnel interfaces are possible on USG/ZyWALLs? For GRE/IPSec more would be helpful.

Accepted Solution

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,280  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Line2,

    There is no technical reason for the specification about  the current supported tunnel interface number.
    The new IPSec virtual tunnel interface(VTI) is introduced since firmware 4.20, so we suggest you use VTI interface instead of Tunnel interface.
    Compared to GRE with extra GRE header overhead, it is better to use VTI instead of GRE over IPSec. 
    If you still think it is necessary to increase the number of Tunnel interface, please feel free to let us know and we will evaluate the enhancement on this feature.
  • Line2
    Line2 Posts: 40  Freshman Member
    First Anniversary Friend Collector First Answer First Comment

    I know VTI, I set up a lot of VTI/IPSec, between ZyWALLs only, I use most of time VTI and OSPF for dynamic routing. I know the overhead of GRE (24bytes). But there are different restrictions where you can't use VTI (3.party firewalls without VTI or no VTI with dynamic IPs there, general antipathy for VTI at a lot of firewall admins because of leak difficulty...).
    Thats the same reason why I made a feature request to support OSPF on GRE interfaces. By the way a loopback interface on ZyWALLs would be handy for such things too ;-)

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,280  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Line2,


    Thanks for your suggestion.

    I would like to move your request to the ideas section.

  • Line2
    Line2 Posts: 40  Freshman Member
    First Anniversary Friend Collector First Answer First Comment
    ok, if it helps :-)
  • Line2
    Line2 Posts: 40  Freshman Member
    First Anniversary Friend Collector First Answer First Comment
    thank you
  • Kade
    Kade Posts: 8
    First Anniversary First Comment
    One feature that I would like to add is to have the ability to encrypt the GRE tunnel with IPsec to make it secure for routing packet between site.
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Kade
    I added your request into the idea post Emily created, too. 

    Here the idea post.
  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector

    Hi.

    We want to start using GRE over ipsec on our sites with old USG1000, that don't support VTI for autodisables routes, and 4 GREs are too small for ours needs.

    Will you realize more GRE in the future and will beta FW availble for test?

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    USG1000 does not support GRE over IPSec.

    You can consider for USG1100 or VPN300 which support GRE over IPSec function.


Security Highlight