Chapter 20 IPSec VPN
ZyWALL ATP Series User’s Guide
401
20.4 VPN Concentrator
A VPN concentrator combines several IPSec VPN connections into one secure network.
Figure 274
VPN Topologies (Fully Meshed and Hub and Spoke)
In a fully-meshed VPN topology (
1
in the figure), there is a VPN connection between every pair of
routers. In a hub-and-spoke VPN topology (
2
in the figure), there is a VPN connection between each
spoke router (
B
,
C
,
D
, and
E
) and the hub router (
A
), which uses the VPN concentrator. The VPN
concentrator routes VPN traffic between the spoke routers and itself.
A VPN concentrator reduces the number of VPN connections that you have to set up and maintain in
the network. You might also be able to consolidate the policy routes in each spoke router, depending
on the IP addresses and subnets of each spoke.
However a VPN concentrator is not for every situation. The hub router is a single failure point, so a VPN
concentrator is not as appropriate if the connection between spoke routers cannot be down
occasionally (maintenance, for example). There is also more burden on the hub router. It receives VPN
traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends
it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum
amount of traffic between spoke routers.
20.4.1 VPN Concentrator Requirements and Suggestions
Consider the following when using the VPN concentrator.
• The local IP addresses configured in the VPN rules should not overlap.
• The concentrator must have at least one separate VPN rule for each spoke. In the local policy,
specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This
may require you to use more than one VPN rule for each spoke.
• To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in the
spoke routers to use 0.0.0.0 (any) as the remote IP address.
• Your security policies can still block VPN packets.
1
2