Zyxel VPN1000, ATP500, USG20-VPN, ATP100W, VPN100 Handbook
...
1/865
www.zyxel.com
ATP/USG FLEX/VPN Series
ATP100 / ATP100W / ATP200 / ATP500/ ATP700/ ATP800
USG FLEX 50 / USG FLEX 50W/ USG FLEX 100
USG FLEX 100W / USG FLEX 200 / USG FLEX 500
USG FLEX 700
VPN50 / VPN100 /VPN300 /VPN1000
USG20-VPN/ USG20W-VPN
Security Firewalls
Firmware Version 5.31
07/2022
Handbook
Default Login Details
LAN Port IP Address
https://192.168.1.1
User Name
admin
Password
1234
copyright © 2022 ZyXEL Communications Corporation
2/865
www.zyxel.com
Table of Content
Chapter 1- VPN ............................................................................................. 7
How to Configure Site-to-site IPSec VPN with Amazon VPC .................... 7
How to Configure Site-to-site IPSec VPN with Microsoft (MS) Azure ...... 20
How to Configure GRE over IPSec VPN Tunnel ........................................ 37
How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP
Address ........................................................................................................ 50
How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic
IP Address .................................................................................................... 62
How to Configure IPSec Site to Site VPN while one Site is behind a NAT
router ............................................................................................................ 74
How to Configure Hub-and-Spoke IPSec VPN......................................... 87
How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN
Concentrator ............................................................................................ 128
Remote Access VPN Wizard for SecuExtender IPSec and Non-
SecuExtender IPSec VPN Clients ............................................................. 147
How to Configure Site-to-site IPSec VPN with FortiGate ....................... 165
How to Configure Site-to-site IPSec VPN with WatchGuard ................ 177
How to Configure Site-to-site IPSec VPN with Cisco ............................. 190
How to Configure Site-to-site IPSec VPN with a SonicWALL router ...... 204
How to Configure IPSec VPN Failover .................................................... 220
How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind
a NAT router .............................................................................................. 235
How to Configure L2TP VPN with Android 5.0 Mobile Devices ............ 248
How to Configure L2TP VPN with iOS 8.4 Mobile Devices ..................... 260
How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows
10 ................................................................................................................ 271
How to Import ZyWALL/USG Certificate for L2TP over IPsec in iOS mobile
phone ........................................................................................................ 289
3/865
www.zyxel.com
How to Configure 2 factor for VPN connection? .................................. 300
How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android
mobile phone ........................................................................................... 316
How to Configure the L2TP VPN with Apple MAC OS X 10.11 Operating
System ........................................................................................................ 329
How to configure if I want user can only see SSL VPN Login button in
web portal login page ............................................................................. 341
How to Deploy SSL VPN with Apple Mac OS X 10.10 Operating System
.................................................................................................................... 348
How To Configure SSL VPN for Remote Access Mobile Devices ......... 361
How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1)
on the Windows 10 Operating System ................................................... 368
How to redirect multiple LAN interface traffic to the VPN tunnel........ 374
How to Create VTI and Configure VPN Failover with VTI ...................... 387
Remote access VPN Wizard .................................................................... 403
Remote access VPN Wizard-IKEv2 Client ............................................... 411
VPN Configuration Provisioning with Upload Bandwidth Limit ............. 424
Chapter 2- Security Service ..................................................................... 430
How to block HTTPS websites by Domain Filter without applying SSL
Inspection .................................................................................................. 430
How to Configure Content Filter 2.0 with Geo IP Blocking ................... 437
How to Configure Content Filter 2.0 with HTTPs Domain Filter .............. 441
How to block the client accessing to certain country using Geo IP and
Content Filter ............................................................................................. 447
How To Schedule YouTube Access ........................................................ 454
How to Detect and Prevent TCP Port Scanning with ADP ................... 464
How to Block Facebook ........................................................................... 470
How to Exempt Specific Users from a Blocked Website ....................... 480
How to Control Access To Google Drive ................................................ 488
4/865
www.zyxel.com
How to Block HTTPS Websites Using Content Filtering and SSL Inspection
.................................................................................................................... 496
How to Block the Spotify Music Streaming Service ............................... 507
How does Anti-Malware work ................................................................. 511
How to Configure an Email Security Policy with Mail Scan and DNSBL515
How to Configure Botnet Filter on ATP series? ....................................... 520
How to Use Sandboxing to Detect Unknown Malware ........................ 526
How to configure Email Security for Phishing mail?............................... 533
How to Use IP Reputation to Detect Threats .......................................... 537
How to Configure Reputation Filter- DNS Filter ...................................... 543
How to customize external block list in Reputation Filter ...................... 547
How to Configure DNS Content Filter (On-Premises) ............................ 553
How to Configure DNS Content Filter (On-Cloud) ................................ 558
How to configure Collaborative Detection & Response to identify and
quarantine compromised devices from your network ......................... 562
Chapter 3- Authentication ....................................................................... 571
How to Activate Hotspot Free Time Service .......................................... 571
How to setup Two-Factor Authentication for admin login ................... 577
How to setup Email to SMS ...................................................................... 584
How to Use Two Factor with Google Authenticator for Admin Access
................................................................................................................... .590
How to Use Two Factor with Google Authenticator for VPN Access .. 599
Chapter 4- Device HA .............................................................................. 609
How to Configure Device HA Pro ........................................................... 609
How to Configure Schedule Reboot in Device HA ............................... 617
Chapter 5- IPv6 ......................................................................................... 620
How to set up 6to4 on the WAN and autoconf on the LAN ................ 620
How to set up 6to4 on the WAN and DHCPv6 on the LAN .................. 625
5/865
www.zyxel.com
How to set up Static IPv6 on WAN and auto-configuration on the LAN
.................................................................................................................... 630
How to set up Static IPv6 on WAN and DHCPv6 on the LAN ............... 635
How to Set Up DHCPv6 without prefix delegation on the WAN and
autoconf on the LAN ............................................................................... 640
How to Set Up DHCPv6 with prefix delegation on the WAN and DHCPv6
on the LAN ................................................................................................. 645
How to Set Up Autoconf on the WAN and DHCPv6 on the LAN ......... 651
How to Set Up 6rd on the WAN and autoconf on the LAN .................. 656
How to Set Up IPv6 over PPPoE on the WAN ......................................... 662
Chapter 6- Wireless .................................................................................. 667
How to Set Up a WiFi Network with ZyXEL APs ....................................... 667
How to Set Up Guest WiFi Network Accounts ........................................ 672
How to create a Wi-Fi VLAN interfaces to separate staff network and
Guest network ........................................................................................... 681
How to Set Up WiFi Networks with Microsoft Active Directory
Authentication .......................................................................................... 696
How to Configure Secure Wi-Fi to Secure the Wireless Environment? 704
Chapter 7- Maintenance ......................................................................... 709
How to Manage ZyWALL/USG Configuration Files ................................ 709
How to Manage ZyWALL/USG Firmware ................................................ 715
How to Automatically Reboot the ZyWALL/USG by Schedule ............ 721
How to continuously run a ZySH script .................................................... 726
How to Update Firmware Automatically from a USB Storage ............. 730
Chapter 8- Others ..................................................................................... 737
How to Get Started Using the Wizards .................................................... 737
How to Restrict Web Portal access from the Internet ........................... 752
How to Setup and Configure Daily Report ............................................ 756
6/865
www.zyxel.com
How to Setup and Configure Email Logs ............................................... 762
How to Setup and send logs to a Syslog Server .................................... 766
How to Setup and send logs to the USB storage ................................... 772
How to Perform and Use the Packet Capture Feature on the
ZyWALL/USG .............................................................................................. 776
How to Exempt Specific Users from Security Control ............................ 781
How to Configure Bandwidth Management for FTP and HTTP Traffic . 788
How to Limit BitTorrent or Other Peer-to-Peer Traffic ............................. 795
How to Configure a Trunk for WAN Load Balancing with a Static or
Dynamic IP Address .................................................................................. 801
How to Configure DNS Inbound Load Balancing to balance DNS
Queries Among Interfaces ....................................................................... 806
How to Manage Voice Traffic ................................................................. 811
How to Configure the 3G/LTE Interface on the ZyWALL/USG as a WAN
Backup....................................................................................................... 818
How to Configure Two Different WAN Interfaces with Different IP
Addresses in the Same VLAN .................................................................. 823
How to Let a Server Use the Same Public IP Address as the WAN
Interface Using the Bridge Interface ...................................................... 828
How to Allow Public Access to a Server Behind ZyWALL/USG ............. 831
How to Configure DHCP Option 60 – Vendor Class Identifier .............. 835
How to set up Link Aggregation Group (LAG) ...................................... 839
How to configure Device Insight ............................................................. 847
Chapter 9- Nebula Mode ........................................................................ 851
How to Deploy with Nebula Native Mode for Gateway obtained
ZTP Certificate? ......................................................................................... 851
Change Site and Organization without Doing ZTP ................................ 863
7/865
www.zyxel.com
Chapter 1- VPN
How to Configure Site-to-site IPSec VPN with Amazon VPC
This example shows how to use the VPN Setup Wizard to create a site-to-site
VPN between a ZyWALL/USG and an Amazon VPC platform. The example
instructs how to configure the VPN tunnel between each site. When the VPN
tunnel is configured, each site can be accessed securely.
ZyWALL/USG Site-to-site IPSec VPN with Amazon VPC
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks.
This example was tested using USG110 (Firmware Version: ZLD 4.25) and Amazon
VPC (June, 2016).
8/865
www.zyxel.com
Set Up the IPSec VPN Tunnel on the Amazon VPC
1 Sign into the Amazon AWS Management Console. Go to Networking > VPC.
Amazon AWS Management Console > Networking > VPC
2 In the upper left-hand of the screen, click Start VPC Wizard.
Amazon VPC Management Console > Networking > VPC > Start VPC Wizard
3 Select a VPC Configuration, select VPC with a Private Subnet Only and Hardware
VPN Access, and then click Select.
9/865
www.zyxel.com
Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN
Access
4 VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and
Private subnet. Click Next.
VPC with a Private Subnet Only and Hardware VPN
10/865
www.zyxel.com
5 Configure your VPN, add your ZyWALL/USG public IP address into Customer
Gateway IP. Name your Customer Gateway name and VPN Connection name.
Click Create VPC at the bottom of the blade.
Configure your VPN
6 In the VPC Dashboard, go to VPN Connections. Select Download Configuration
from the upper bar. Select Vendor and Platform to be Generic. Click Yes,
Download.
11/865
www.zyxel.com
VPC Dashboard > VPN Connections
7 Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and
Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s
setting.
Configuration txt. File
12/865
www.zyxel.com
Set Up the IPSec VPN Tunnel on the ZyWALL/USG
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the Amazon VPC. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
13/865
www.zyxel.com
Choose Advanced to create a VPN rule with the customize phase 1, phase 2
settings and authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select
the rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP
address (in the example, 52.39.135.203); select My Address to be the interface
connected to the Internet.
14/865
www.zyxel.com
Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time
which Amazon VPC supports. Type a secure Pre-Shared Key.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1
Setting)
Continue to Phase 2 Settings to select the Encapsulation, Encryption,
Authentication, and SA Life Time settings which Amazon VPC supports.
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG and Remote Policy to be the IP address range of the network
connected to the Amazon VPC. Click OK.
15/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Phase 2 Setting)
16/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear
in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings
appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the
wizard.
17/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
Test the IPSec VPN Tunnel
Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click
Connect on the upper bar. The Status connect icon is lit when the interface is
connected.
CONFIGURATION > VPN > IPSec VPN > VPN Connection
Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up
Time and the Inbound(Bytes)/Outbound(Bytes) traffic.
MONITOR > VPN Monitor > IPSec
18/865
www.zyxel.com
To test whether or not a tunnel is working, ping from a Local LAN to AWS VPC private
Subnet for verification. Ensure that both computers have Internet access.
Ping from Local LAN to AWS VPC private Subnet for verification:
What Could Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase
1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the
Amazon VPC IKE Phase 1 setup list.
MONITOR > Log
If you see that Phase 1 IKE SA process done but still get below [info] log
message, please check ZyWALL/USG Phase 2 Settings. Make sure your
ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2
setup list.
MONITOR > Log
19/865
www.zyxel.com
20/865
www.zyxel.com
How to Configure Site-to-site IPSec VPN with Microsoft (MS)
Azure
This example shows how to use the VPN Setup Wizard to create a site-to-site VPN
between a ZyWALL/USG and a Microsoft (MS) Azure platform. The example
instructs how to configure the VPN tunnel between each site. When the VPN
tunnel is configured, each site can be accessed securely.
ZyWALL Site-to-site IPSec VPN with Microsoft (MS) Azure
Set Up the IPSec VPN Tunnel on the ZyWALL/USG
Note:
1. All network IP addresses and subnet masks are used as examples in this article. Please
replace them with your actual network IP addresses and subnet masks. This example was
tested using USG40 (Firmware Version: ZLD 4.25) and MS Azure (April, 2016).
21/865
www.zyxel.com
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the MS Azure. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
Choose Advanced to create a VPN rule with the customize phase 1, phase 2
settings and authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the
rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
22/865
www.zyxel.com
Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP
address (in the example, 13.75.42.148); select My Address to be the interface
connected to the Internet.
Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time which
MS Azure supports. Please make sure you disable Dead Peer Detection (DPD)
which is not supported in the MS Azure IKEv1 Policy-based. Type a secure Pre-
Shared Key.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase
1 Setting)
23/865
www.zyxel.com
Continue to Phase 2 Settings to select the Encapsulation, Encryption,
Authentication, and SA Life Time settings which MS Azure supports.
Note: For more information about the IPsec Parameters supported in MS Azure, see the
Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway
connections.
24/865
www.zyxel.com
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG and Remote Policy to be the IP address range of the network
connected to the MS Azure. Click OK.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase
2 Setting)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Note: For more information about the IPsec Parameters supported in MS Azure, see the
Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway
connections.
25/865
www.zyxel.com
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
26/865
www.zyxel.com
Set Up the IPSec VPN Tunnel on the MS Azure
Sign into the Windows Azure Management Portal. In the upper left-hand corner of
the screen, click +New > Networking > Virtual Network.
Azure portal > New > Networking > Virtual Network
Near the bottom of the Virtual Network blade, from the Select a deployment
model list, select Resource Manager, and then click Create.
New > Networking > Virtual Network > Select a deployment model
27/865
www.zyxel.com
On the Create virtual network page, enter the NAME for the VPN network. For
example, VPN_Vnet_to_USG. Add your Address Space, Subnet name and a single
Subnet address range.
Click Resource group and either select an existing resource group, or create a
new one by typing a name for your new resource group. For example, RG_USG.
LOCATION is directly related to the physical location (region) where the virtual
machines (VMs) reside. The region associated with the virtual network cannot be
changed after it has been created.
Then, click the Create button. After clicking Create, you will see a tile on your
dashboard that will reflect the progress of your VNet. The tile will change as the
VNet is being created.
28/865
www.zyxel.com
New > Networking > Virtual Network > Create virtual network
In the portal, navigate to the virtual network to which you just created. On the
blade for your virtual network, click the Settings icon at the top of the blade to
expand the Setting blade to Subnets > Add > Add Subnet. Name your subnet
GatewaySubnet. You should not name it anything else, or the gateway will not
work. Add the IP Address range for your gateway. Click OK at the bottom of the
blade to create the subnet.
VPN Vnet_to_USG > Settings > Subnet > Add subnet
29/865
www.zyxel.com
In the portal, go to New, then Networking. Select Virtual network gateway from
the list. On the Create virtual network gateway blade Name field, name your
gateway. Next, choose the Virtual network that you want to deploy this gateway
to.
Click the arrow (>) to open the Choose public IP address blade. Then click Create
New to open the Create public IP address blade. Input a Name for your public IP
address. Note that this is not asking for an IP address. The IP address will be
assigned dynamically. Rather, this is the name of the IP address object that the
address will be assigned to. Click OK to save your changes.
For Gateway type, select VPN. For VPN type, select Policy-based. For Resource
Group, the resource group is determined by the Virtual Network that you select.
For Location, make sure it's showing the location that both your Resource Group
and VNet exist in.
30/865
www.zyxel.com
New > Networking > Create virtual network gateway > Choose public IP address >
Create public IP address
In the Azure Portal, navigate to New > Networking > Local network gateway. The
local network gateway refers to your ZyWALL/USG public IP and local subnet
settings.
On the Create local network gateway blade, specify a Name for your
ZyWALL/USG gateway object.
Specify public IP address of your ZyWALL/USG. It cannot be behind NAT and has
to be reachable by Azure. Address space refers to the address ranges on your
ZyWALL/USG local network. For Resource Group, select the resource group that
you created before. For Location, if you are creating a new local network
gateway, you can use the same location as the virtual network gateway. But, this
is not required. The local network gateway can be in a different location.
Click Create to create the local network gateway.
Loading...