Buy our NEW Value Added Services, VPN Client Software or Nebula Licenses with 1-click

Now available
English Български Čeština Dansk Deutsch Español Suomi Français Magyar Italiano Nederlands Norsk Polski Română Русский Slovenčina svenska Türkçe

Secure WiFi End to Site icon

Avatar
Christoph Kutz
  • Updated

Secure WiFi service is used to build a secure L2 tunnel for Work-From-Home user to the office, guaranteeing the same security level, user experience, WiFi, and even IP address as in the office, which boosts up productivity and eases IT support.

mceclip0.png

 

Compatible Devices

General Information

Deployment Process

Licensing

 

 

 

Compatible Devices:

The following appliances and access points currently support secure WiFi:

USG FLEX series - ATP series - VPN series (requires at least Firmware 5.00)

WAX650S - WAX610D - WAX510D - WAC500 - WAC500H  (Requires at least Firmware  6.20)

 

 

General Information

Compared to the classic "Tunnel Mode", Secure Wifi provides data encryption for remote workers by using "GRE over IPsec VPN"

There is no gateway configuration needed on the remote site.

mceclip1.png

The maximum number of Remote APs is limited by the following 2 factors on your gateway:

  1.  Max. Number of "Concurrent IPsec VPN Tunnels"
  2.  50% of the maximum manageable APs of your gateway

 

 

Deployment process

1. Manage APs in LAN

Navigate to:

Monitor -> Wireless -> AP Information -> AP List -> "Show advanced Settings"

blobid0.png

In the Web GUI, we can check if the managed AP supports the "RemoteAP" role.

 

2. Configure AP role and SSID

Navigate to:

Configuration -> Wireless -> AP Management -> Mgnt. AP List

Select the AP where you want to enable the Remote AP role.

blobid1.png

Secure Wi-Fi is a per AP setting. First, we need to switch the AP Role to Remote AP via the checkbox.

After that, we can configure up to four Secure Tunnel SSIDs, define which interface the traffic will be tunnelled to, and where to broadcast the traffic.

In the GUI there are two local bridge SSIDs, where traffic won’t be tunnelled back to the Enterprise network.

 

3. Assign your Gateways' "WAN IP" as the AP's  "Controller IP"

Navigate to:

Configuration -> Wireless -> AP Management -> AP Policy

mceclip2.png

Please check the box for "Force Override AC IP Config on AP"

If your gateway is set up for Dual WAN, you can add the 2nd public IP to "Secondary Controller

You can also add an FQND if you, for example, use a DDNS service.

 

4. Verify the results

Now, the future Remote AP can be disconnected and moved to the Remote Site. Once it is booted up in the remote site, the AP will automatically establish the IPsec VPN connection with your gateway.

You can check the status here:

Monitor -> VPN Monitor -> Remote AP VPN 

mceclip3.png

Auto Added Config:

After enabling the Remote AP Feature, the following settings will be auto-enabled:

  • New Firewall Policy to allow CAPWAP traffic coming from WAN
  • A new Subnet (192.168.60.1/24) for the Remote AP VPN Clients
  • On the remote AP, Wireless Storm Control is automatically activated in order to avoid huge broadcast traffic flooding from the wireless part to your gateway and to other Remote APs.

 

 

Licensing

​Secure Wifi requires a separate License.

The Secure WiFi service also unlocks the number of managed APs to the maximum for the ATP/USG FLEX/VPN firewall.

Detailed information about the correct license for your device can be looked up here:

https://www.zyxel.com/products_services/Connectivity-Service-Secure-WiFi/license-and-spec 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.