Remote AP VPN
Overview
Remote AP allows users connected to an off-site (remote) AP to connect to on-site resources behind the Zyxel Device through a secure IPSec VPN tunnel.
• With a IPSec VPN tunnel, the encrypted IPSec tunnel is from the Zyxel Device to another Zyxel Device or the Zyxel Device to a client with IPSec client software installed.
• With a Managed AP license, the connection is from the Zyxel Device to a managed AP using GRE which encapsulates traffic, but does not encrypt it.
• With the Remote AP feature (in the Secure WiFi license) the connection is from the Zyxel Device to a managed AP using NVGRE (Network Virtualization using Generic Routing Encapsulation) over IPSec tunnel. This encapsulates and encrypts traffic from the remote AP to the Zyxel Device. The clients connected to the remote AP don’t need IPSec client software installed.
You can associate Secure Tunnel SSID profiles and Local Bridge SSID profiles with a remote AP.
Configure your AP using a Secure Tunnel SSID profiles if you want to access the network behind the Zyxel Device or to access the Internet. Network traffic from clients connected to these SSIDs is sent through the RAP tunnel to the Zyxel Device. The Zyxel Device then sends the traffic out through the interface defined in the SSID profile.
When you have multiple clients connected to the AP with different purposes, set the Secure Tunnel SSIDs for clients that want to access the network behind the Zyxel Device. Set the Local Bridge SSIDs for clients that want to access the Internet, but you don’t want them to access the network behind the Zyxel Device.
Configuring a Remote AP
Follow the steps below to access your company network from home through a remote AP.
1 Go to Configuration> Wireless> AP Management. In the Mgnt. AP List screen, click Show Advanced Settings.
2 Remote AP is only supported on certain AP models. Make sure the AP you want to configure as remote AP shows Remote AP under the AP Role Capability column in the table.
3 Double click on the AP you want to configure to show the Edit AP List screen. Select a pre-configured SSID Profile under Secure Tunnel SSID to access the company network behind the Zyxel Device.
4 Click on the interface to show the drop-down list box. Select an interface you want the AP traffic to go through on the Zyxel Device. The interface you select here will override the interface configured in the SSID Profile.
5 Click OK to save your settings. A secure NVGRE over IPSec tunnel is now created between the Zyxel Device and the AP. Users connected to the off-site AP can access the company network through this tunnel.
Remote AP VPN
Use this screen to assign an IP address to the outgoing interface of each RAP IPSec tunnel from this pool so each RAP IPSec tunnel interface IP address doesn’t conflict with each other.
Note: Clients connected to the remote AP use the destination IP address of the network behind the Zyxel Device. The Zyxel Device uses the IP address of the AP as the IPSec tunnel destination address.
The following table describes the fields in this screen.
Configuration > VPN > Remote AP VPN
Label | Description |
|---|
VPN Connection | This field shows the default VPN profile the Zyxel Device uses to create a secure tunnel between itself and the AP. |
IP Address Pool | Enter the start and end IPv4 addresses for the shared Remote AP IP address pool. The outgoing interface of each RAP IPSec tunnel is assigned an IP address from this pool. Also, WiFi clients are assigned addresses from the pool if the SSID is set to Local Bridge mode. |
Apply | Click Apply to save your changes in the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |