Virtual Address Mapping Ziel ist es, zwischen zwei ZyWALL Routern (ZyWALL 2 Plus <~> ZyWALL P1), welche sich beide im selben Lokalen IP Bereich (192.168.1.1/24) befinden, einen VPN-Tunnel mittels NAT over IPSec zu etablieren. Overlapping Local And Remote Network IP Addresses Devices behind the ZyWALL (local devices) and the devices behind the remote IPSec router (remote devices) may use private IP addresses. Therefore it is possible that local devices and remote devices may have the same IP addresses. This is known as overlapping local and remote IP addresses. For example, local network X uses IP addresses 192.168.1.2 to 192.168.1.4. Remote network Y uses IP addresses 192.168.1.2 to 192.168.1.27. If you select the VPN rules skip applying to the overlap range of local and remote IP addresses option (see VPN Global Setting ), every time a computer on network X tries to access a network X computer with an IP address from 192.168.1.2 to 192.168.1.4, the ZyWALL sends the traffic through the VPN tunnel to network Y. If you clear the VPN rules skip applying to the overlap range of local and remote IP addresses option (see VPN Global Setting ), every time a computer on network X tries to access a network X computer with an IP address from 192.168.1.2 to 192.168.1.4, the ZyWALL sends the traffic to the local network. Virtual Address Mapping Virtual address mapping (NAT over IPSec) changes the source IP addresses of packets from your local devices to virtual IP addresses before sending them through the VPN tunnel. Avoiding Overlapping Local And Remote Network IP Addresses If both IPSec routers support virtual address mapping, you can access devices on both networks, even if their IP addresses overlap. You map the ZyWALL's local network addresses to virtual IP addresses and map the remote IPSec router's local IP addresses to other (non-overlapping) virtual IP addresses. Take Overlapping Local And Remote Network IP Addresses as an example of overlapping local and remote IP addresses. You can set up virtual address mapping on both IPSec routers to allow computers on network X to access network X and network Y computers with the same IP address. You set ZyWALL A to change the source IP addresses of packets from local network X (192.168.1.2 to 192.168.1.4) to virtual IP addresses 10.0.0.2 to 10.0.0.4 before sending them through the VPN tunnel. You set ZyWALL B to change the source IP addresses of packets from the remote network Y (192.168.1.2 to 192.168.1.27) to virtual IP addresses 172.21.2.2 to 172.21.2.27 before sending them through the VPN tunnel. On ZyWALL A, you specify 172.21.2.2 to 172.21.2.27 as the remote network. On ZyWALL B, you specify 10.0.0.2 to 10.0.0.4 as the remote network. Computers on network X use IP addresses 192.168.1.2 to 192.168.1.4 to access local network devices and IP addresses 172.21.2.2 to 172.21.2.27 to access the remote network devices. Computers on network Y use IP addresses 192.168.1.2 to 192.168.1.27 to access local network devices and IP addresses 10.0.0.2 to 10.0.0.4 to access the remote network devices.
ZyWALL 2 Plus 1. LAN = 192.168.1.1/24 (255.255.255.0) 2. WAN = 192.168.2.100/24 (255.255.255.0) - # Name Local Network Remote Network Encapsulation IPSec Algorithm 192.168.1.1-.255 172.21.2.1-1 10.0.0.1-10.0.0.255 Tunnel ESP AES--SHA1 (ZyWALL2A) 172.21.2.255
ZyWALL P1 1. LAN = 192.168.1.1/24 (255.255.255.0) 2. WAN = 192.168.2.101/24 (255.255.255.0) - # Name Local Network Remote Network Encapsulation IPSec Algorithm 192.168.1.1-.255 172.21.2.1-1 10.0.0.1-10.0.0.255 Tunnel ESP AES--SHA1 (ZyWALLP1) 172.21.2.255
Führt man aus dem LAN der ZyWALL P1 nun einen ping aus, ist dieser an die Adresse 10.0.0.1 zu richten um die ZyWALL 2 Plus auf deren eigentlichen Adresse 192.168.1.1 zu erreichen. Syslogergebnis am LAN der ZyWALL P1: 11-14-2006 15:30:06 Local1.Info 192.168.1.1 src="192.168.1.2" dst="10.0.0.1" msg="firewall default policy: 11-14-2006 15:30:05 Local1.Info 192.168.1.1 src="192.168.1.2" dst="10.0.0.1" msg="firewall default policy: 11-14-2006 15:30:04 Local1.Info 192.168.1.1 src="192.168.1.2" dst="10.0.0.1" msg="firewall default policy: 11-14-2006 15:30:03 Local1.Info 192.168.1.1 src="192.168.1.2" dst="10.0.0.1" msg="firewall default policy: Syslogergebnis am LAN der ZyWALL 2 Plus: 14-11-2006 15:34:02 Local2.Info ZyWALL2A.zyxeltech.de src="172.21.2.2" dst="192.168.1.1" msg="firewall 14-11-2006 15:34:01 Local2.Info ZyWALL2A.zyxeltech.de src="172.21.2.2" dst="192.168.1.1" msg="firewall 14-11-2006 15:34:00 Local2.Info ZyWALL2A.zyxeltech.de src="172.21.2.2" dst="192.168.1.1" msg="firewall 14-11-2006 15:33:59 Local2.Info ZyWALL2A.zyxeltech.de src="172.21.2.2" dst="192.168.1.1" msg="firewall