Zyxel H Series Firewall [next-hop in Policy Routes] Why Route-Based VPN Replaces Policy-Based VPN – And Why That’s a Good Thing

With the introduction of the Zyxel UOS operating system and the release of the new H Series, Zyxel has modernized the way VPN connections are handled. Unlike earlier-generation devices such as the USG and ATP series, H Series no longer supports using VPN tunnels as a next-hop in Policy Routes.

This is not a limitation, but rather a shift toward a modern, interface-based VPN architecture using route-based VPN with VTI (Virtual Tunnel Interface). This article explains the difference between policy-based and route-based VPN, and why this new approach is considered more reliable, scalable, and easier to manage.

Benefits of Route-based VPN with VTI on Zyxel USG FLEX H

• VPN tunnels are created as virtual interfaces (VTI) and participate in routing just like physical ports.
• No need to define VPN as next-hop in Policy Routes, reducing configuration complexity and risk of misconfiguration.
• Better integration with Zyxel’s zone-based security model.

Scenario:

• Headquarters uses multiple internal subnets:
  • 192.168.10.0/24 — Administration
  • 192.168.20.0/24 — Accounting
  • 192.168.30.0/24 — Warehouse
• The branch office needs access to all of them via VPN.

Problems with Policy-based VPN:

• Required creating a separate tunnel or policy for each subnet.
• Any network change (e.g., a new subnet) meant manual reconfiguration of policies and tunnels.

Using VTI on USG FLEX H:

• You create a single VPN tunnel between the sites.
• Configure standard static routes:

dst: 192.168.10.0/24 → via VTI-Office  
dst: 192.168.20.0/24 → via VTI-Office  
dst: 192.168.30.0/24 → via VTI-Office  

• When a new subnet (e.g., 192.168.40.0/24) is added — just add a route, no VPN reconfiguration needed.
• Access control is managed through security policies instead of static route logic.

Set up IPSec VPN Tunnel for uOS

This example demonstrates how to use the VPN Setup Wizard to configure a route-based site-to-site VPN tunnel with a ZLD device as the peer gateway, enabling secure access between the two sites once the tunnel is established.

Navigate to VPN > IPSec VPN > Site to Site VPN > Add. and go through all the steps of the wizard and fill in the appropriate fields:

• Name:
• IKE Version: IKEv2
• In the My Address field, select the required WAN interface
• In the Peer Gateway Address field, enter the public IP address of the remote (branch) device.
• Zone: IPSec_VPN
• For Authentication Method, select Pre-Shared Key (PSK).

Under Type, select: Route-Based.

1. In Remote Subnet, enter manually: 192.168.88.0/27.
2. In VTI Interface, enter: 169.254.63.164/255.255.255.255.
3. Verify that the diagram shows the connection from the local interface ge1 to the remote IP 93.159.250.211

Under Phase 1 Settings and Phase 2 Settings:

• Proposal: AES128 / SHA1
• DH Group: DH2 / DH14

Click OK.

• Configure the VTI Interface

Configuration > Network > Interface > VTI

Set up an IPSec VPN Tunnel for ZLD

Navigate to Configuration > VPN > IPSec VPN > VPN Gateway.

• Click Add anf Check Enable.
• Enter VPN Gateway Name:
• Select IKE Version: IKEv2
• Under My Address: Choose Interface: ge1 (with your public IP).
• Under Peer Gateway Address: enter the public IP address of the remote (HQ) device
• In Authentication: Choose Pre-Shared Key and enter the same key used on the Flex device.

• Configure the VTI Interface

Configuration > Network > Interface > VTI