1/865
www.zyxel.com
ATP/USG FLEX/VPN Series
ATP100 / ATP100W / ATP200 / ATP500/ ATP700/ ATP800
USG FLEX 50 / USG FLEX 50W/ USG FLEX 100
USG FLEX 100W / USG FLEX 200 / USG FLEX 500
USG FLEX 700
VPN50 / VPN100 /VPN300 /VPN1000
USG20-VPN/ USG20W-VPN
Security Firewalls
Firmware Version 5.31
07/2022
Handbook
Default Login Details
LAN Port IP Address
https://192.168.1.1
User Name
admin
Password
1234
copyright © 2022 ZyXEL Communications Corporation
2/865
www.zyxel.com
Table of Content
Chapter 1- VPN ............................................................................................. 7
How to Configure Site-to-site IPSec VPN with Amazon VPC .................... 7
How to Configure Site-to-site IPSec VPN with Microsoft (MS) Azure ...... 20
How to Configure GRE over IPSec VPN Tunnel ........................................ 37
How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP
Address ........................................................................................................ 50
How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic
IP Address .................................................................................................... 62
How to Configure IPSec Site to Site VPN while one Site is behind a NAT
router ............................................................................................................ 74
How to Configure Hub-and-Spoke IPSec VPN......................................... 87
How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN
Concentrator ............................................................................................ 128
Remote Access VPN Wizard for SecuExtender IPSec and Non-
SecuExtender IPSec VPN Clients ............................................................. 147
How to Configure Site-to-site IPSec VPN with FortiGate ....................... 165
How to Configure Site-to-site IPSec VPN with WatchGuard ................ 177
How to Configure Site-to-site IPSec VPN with Cisco ............................. 190
How to Configure Site-to-site IPSec VPN with a SonicWALL router ...... 204
How to Configure IPSec VPN Failover .................................................... 220
How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind
a NAT router .............................................................................................. 235
How to Configure L2TP VPN with Android 5.0 Mobile Devices ............ 248
How to Configure L2TP VPN with iOS 8.4 Mobile Devices ..................... 260
How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows
10 ................................................................................................................ 271
How to Import ZyWALL/USG Certificate for L2TP over IPsec in iOS mobile
phone ........................................................................................................ 289
3/865
www.zyxel.com
How to Configure 2 factor for VPN connection? .................................. 300
How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android
mobile phone ........................................................................................... 316
How to Configure the L2TP VPN with Apple MAC OS X 10.11 Operating
System ........................................................................................................ 329
How to configure if I want user can only see SSL VPN Login button in
web portal login page ............................................................................. 341
How to Deploy SSL VPN with Apple Mac OS X 10.10 Operating System
.................................................................................................................... 348
How To Configure SSL VPN for Remote Access Mobile Devices ......... 361
How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1)
on the Windows 10 Operating System ................................................... 368
How to redirect multiple LAN interface traffic to the VPN tunnel........ 374
How to Create VTI and Configure VPN Failover with VTI ...................... 387
Remote access VPN Wizard .................................................................... 403
Remote access VPN Wizard-IKEv2 Client ............................................... 411
VPN Configuration Provisioning with Upload Bandwidth Limit ............. 424
Chapter 2- Security Service ..................................................................... 430
How to block HTTPS websites by Domain Filter without applying SSL
Inspection .................................................................................................. 430
How to Configure Content Filter 2.0 with Geo IP Blocking ................... 437
How to Configure Content Filter 2.0 with HTTPs Domain Filter .............. 441
How to block the client accessing to certain country using Geo IP and
Content Filter ............................................................................................. 447
How To Schedule YouTube Access ........................................................ 454
How to Detect and Prevent TCP Port Scanning with ADP ................... 464
How to Block Facebook ........................................................................... 470
How to Exempt Specific Users from a Blocked Website ....................... 480
How to Control Access To Google Drive ................................................ 488
4/865
www.zyxel.com
How to Block HTTPS Websites Using Content Filtering and SSL Inspection
.................................................................................................................... 496
How to Block the Spotify Music Streaming Service ............................... 507
How does Anti-Malware work ................................................................. 511
How to Configure an Email Security Policy with Mail Scan and DNSBL515
How to Configure Botnet Filter on ATP series? ....................................... 520
How to Use Sandboxing to Detect Unknown Malware ........................ 526
How to configure Email Security for Phishing mail?............................... 533
How to Use IP Reputation to Detect Threats .......................................... 537
How to Configure Reputation Filter- DNS Filter ...................................... 543
How to customize external block list in Reputation Filter ...................... 547
How to Configure DNS Content Filter (On-Premises) ............................ 553
How to Configure DNS Content Filter (On-Cloud) ................................ 558
How to configure Collaborative Detection & Response to identify and
quarantine compromised devices from your network ......................... 562
Chapter 3- Authentication ....................................................................... 571
How to Activate Hotspot Free Time Service .......................................... 571
How to setup Two-Factor Authentication for admin login ................... 577
How to setup Email to SMS ...................................................................... 584
How to Use Two Factor with Google Authenticator for Admin Access
................................................................................................................... .590
How to Use Two Factor with Google Authenticator for VPN Access .. 599
Chapter 4- Device HA .............................................................................. 609
How to Configure Device HA Pro ........................................................... 609
How to Configure Schedule Reboot in Device HA ............................... 617
Chapter 5- IPv6 ......................................................................................... 620
How to set up 6to4 on the WAN and autoconf on the LAN ................ 620
How to set up 6to4 on the WAN and DHCPv6 on the LAN .................. 625
5/865
www.zyxel.com
How to set up Static IPv6 on WAN and auto-configuration on the LAN
.................................................................................................................... 630
How to set up Static IPv6 on WAN and DHCPv6 on the LAN ............... 635
How to Set Up DHCPv6 without prefix delegation on the WAN and
autoconf on the LAN ............................................................................... 640
How to Set Up DHCPv6 with prefix delegation on the WAN and DHCPv6
on the LAN ................................................................................................. 645
How to Set Up Autoconf on the WAN and DHCPv6 on the LAN ......... 651
How to Set Up 6rd on the WAN and autoconf on the LAN .................. 656
How to Set Up IPv6 over PPPoE on the WAN ......................................... 662
Chapter 6- Wireless .................................................................................. 667
How to Set Up a WiFi Network with ZyXEL APs ....................................... 667
How to Set Up Guest WiFi Network Accounts ........................................ 672
How to create a Wi-Fi VLAN interfaces to separate staff network and
Guest network ........................................................................................... 681
How to Set Up WiFi Networks with Microsoft Active Directory
Authentication .......................................................................................... 696
How to Configure Secure Wi-Fi to Secure the Wireless Environment? 704
Chapter 7- Maintenance ......................................................................... 709
How to Manage ZyWALL/USG Configuration Files ................................ 709
How to Manage ZyWALL/USG Firmware ................................................ 715
How to Automatically Reboot the ZyWALL/USG by Schedule ............ 721
How to continuously run a ZySH script .................................................... 726
How to Update Firmware Automatically from a USB Storage ............. 730
Chapter 8- Others ..................................................................................... 737
How to Get Started Using the Wizards .................................................... 737
How to Restrict Web Portal access from the Internet ........................... 752
How to Setup and Configure Daily Report ............................................ 756
6/865
www.zyxel.com
How to Setup and Configure Email Logs ............................................... 762
How to Setup and send logs to a Syslog Server .................................... 766
How to Setup and send logs to the USB storage ................................... 772
How to Perform and Use the Packet Capture Feature on the
ZyWALL/USG .............................................................................................. 776
How to Exempt Specific Users from Security Control ............................ 781
How to Configure Bandwidth Management for FTP and HTTP Traffic . 788
How to Limit BitTorrent or Other Peer-to-Peer Traffic ............................. 795
How to Configure a Trunk for WAN Load Balancing with a Static or
Dynamic IP Address .................................................................................. 801
How to Configure DNS Inbound Load Balancing to balance DNS
Queries Among Interfaces ....................................................................... 806
How to Manage Voice Traffic ................................................................. 811
How to Configure the 3G/LTE Interface on the ZyWALL/USG as a WAN
Backup....................................................................................................... 818
How to Configure Two Different WAN Interfaces with Different IP
Addresses in the Same VLAN .................................................................. 823
How to Let a Server Use the Same Public IP Address as the WAN
Interface Using the Bridge Interface ...................................................... 828
How to Allow Public Access to a Server Behind ZyWALL/USG ............. 831
How to Configure DHCP Option 60 – Vendor Class Identifier .............. 835
How to set up Link Aggregation Group (LAG) ...................................... 839
How to configure Device Insight ............................................................. 847
Chapter 9- Nebula Mode ........................................................................ 851
How to Deploy with Nebula Native Mode for Gateway obtained
ZTP Certificate? ......................................................................................... 851
Change Site and Organization without Doing ZTP ................................ 863
7/865
www.zyxel.com
Chapter 1- VPN
How to Configure Site-to-site IPSec VPN with Amazon VPC
This example shows how to use the VPN Setup Wizard to create a site-to-site
VPN between a ZyWALL/USG and an Amazon VPC platform. The example
instructs how to configure the VPN tunnel between each site. When the VPN
tunnel is configured, each site can be accessed securely.
ZyWALL/USG Site-to-site IPSec VPN with Amazon VPC
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks.
This example was tested using USG110 (Firmware Version: ZLD 4.25) and Amazon
VPC (June, 2016).
8/865
www.zyxel.com
Set Up the IPSec VPN Tunnel on the Amazon VPC
1 Sign into the Amazon AWS Management Console. Go to Networking > VPC.
Amazon AWS Management Console > Networking > VPC
2 In the upper left-hand of the screen, click Start VPC Wizard.
Amazon VPC Management Console > Networking > VPC > Start VPC Wizard
3 Select a VPC Configuration, select VPC with a Private Subnet Only and Hardware
VPN Access, and then click Select.
9/865
www.zyxel.com
Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN
Access
4 VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and
Private subnet. Click Next.
VPC with a Private Subnet Only and Hardware VPN
10/865
www.zyxel.com
5 Configure your VPN, add your ZyWALL/USG public IP address into Customer
Gateway IP. Name your Customer Gateway name and VPN Connection name.
Click Create VPC at the bottom of the blade.
Configure your VPN
6 In the VPC Dashboard, go to VPN Connections. Select Download Configuration
from the upper bar. Select Vendor and Platform to be Generic. Click Yes,
Download.
11/865
www.zyxel.com
VPC Dashboard > VPN Connections
7 Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and
Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s
setting.
Configuration txt. File
12/865
www.zyxel.com
Set Up the IPSec VPN Tunnel on the ZyWALL/USG
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the Amazon VPC. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
13/865
www.zyxel.com
Choose Advanced to create a VPN rule with the customize phase 1, phase 2
settings and authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select
the rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP
address (in the example, 52.39.135.203); select My Address to be the interface
connected to the Internet.
14/865
www.zyxel.com
Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time
which Amazon VPC supports. Type a secure Pre-Shared Key.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1
Setting)
Continue to Phase 2 Settings to select the Encapsulation, Encryption,
Authentication, and SA Life Time settings which Amazon VPC supports.
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG and Remote Policy to be the IP address range of the network
connected to the Amazon VPC. Click OK.
15/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Phase 2 Setting)
16/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear
in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings
appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the
wizard.
17/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
Test the IPSec VPN Tunnel
Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click
Connect on the upper bar. The Status connect icon is lit when the interface is
connected.
CONFIGURATION > VPN > IPSec VPN > VPN Connection
Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up
Time and the Inbound(Bytes)/Outbound(Bytes) traffic.
MONITOR > VPN Monitor > IPSec
18/865
www.zyxel.com
To test whether or not a tunnel is working, ping from a Local LAN to AWS VPC private
Subnet for verification. Ensure that both computers have Internet access.
Ping from Local LAN to AWS VPC private Subnet for verification:
What Could Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase
1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the
Amazon VPC IKE Phase 1 setup list.
MONITOR > Log
If you see that Phase 1 IKE SA process done but still get below [info] log
message, please check ZyWALL/USG Phase 2 Settings. Make sure your
ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2
setup list.
MONITOR > Log
19/865
www.zyxel.com
20/865
www.zyxel.com
How to Configure Site-to-site IPSec VPN with Microsoft (MS)
Azure
This example shows how to use the VPN Setup Wizard to create a site-to-site VPN
between a ZyWALL/USG and a Microsoft (MS) Azure platform. The example
instructs how to configure the VPN tunnel between each site. When the VPN
tunnel is configured, each site can be accessed securely.
ZyWALL Site-to-site IPSec VPN with Microsoft (MS) Azure
Set Up the IPSec VPN Tunnel on the ZyWALL/USG
Note:
1. All network IP addresses and subnet masks are used as examples in this article. Please
replace them with your actual network IP addresses and subnet masks. This example was
tested using USG40 (Firmware Version: ZLD 4.25) and MS Azure (April, 2016).
21/865
www.zyxel.com
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the MS Azure. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
Choose Advanced to create a VPN rule with the customize phase 1, phase 2
settings and authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the
rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
22/865
www.zyxel.com
Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP
address (in the example, 13.75.42.148); select My Address to be the interface
connected to the Internet.
Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time which
MS Azure supports. Please make sure you disable Dead Peer Detection (DPD)
which is not supported in the MS Azure IKEv1 Policy-based. Type a secure Pre-
Shared Key.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase
1 Setting)
23/865
www.zyxel.com
Continue to Phase 2 Settings to select the Encapsulation, Encryption,
Authentication, and SA Life Time settings which MS Azure supports.
Note: For more information about the IPsec Parameters supported in MS Azure, see the
Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway
connections.
24/865
www.zyxel.com
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG and Remote Policy to be the IP address range of the network
connected to the MS Azure. Click OK.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase
2 Setting)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Note: For more information about the IPsec Parameters supported in MS Azure, see the
Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway
connections.
25/865
www.zyxel.com
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
26/865
www.zyxel.com
Set Up the IPSec VPN Tunnel on the MS Azure
Sign into the Windows Azure Management Portal. In the upper left-hand corner of
the screen, click +New > Networking > Virtual Network.
Azure portal > New > Networking > Virtual Network
Near the bottom of the Virtual Network blade, from the Select a deployment
model list, select Resource Manager, and then click Create.
New > Networking > Virtual Network > Select a deployment model
27/865
www.zyxel.com
On the Create virtual network page, enter the NAME for the VPN network. For
example, VPN_Vnet_to_USG. Add your Address Space, Subnet name and a single
Subnet address range.
Click Resource group and either select an existing resource group, or create a
new one by typing a name for your new resource group. For example, RG_USG.
LOCATION is directly related to the physical location (region) where the virtual
machines (VMs) reside. The region associated with the virtual network cannot be
changed after it has been created.
Then, click the Create button. After clicking Create, you will see a tile on your
dashboard that will reflect the progress of your VNet. The tile will change as the
VNet is being created.
28/865
www.zyxel.com
New > Networking > Virtual Network > Create virtual network
In the portal, navigate to the virtual network to which you just created. On the
blade for your virtual network, click the Settings icon at the top of the blade to
expand the Setting blade to Subnets > Add > Add Subnet. Name your subnet
GatewaySubnet. You should not name it anything else, or the gateway will not
work. Add the IP Address range for your gateway. Click OK at the bottom of the
blade to create the subnet.
VPN Vnet_to_USG > Settings > Subnet > Add subnet
29/865
www.zyxel.com
In the portal, go to New, then Networking. Select Virtual network gateway from
the list. On the Create virtual network gateway blade Name field, name your
gateway. Next, choose the Virtual network that you want to deploy this gateway
to.
Click the arrow (>) to open the Choose public IP address blade. Then click Create
New to open the Create public IP address blade. Input a Name for your public IP
address. Note that this is not asking for an IP address. The IP address will be
assigned dynamically. Rather, this is the name of the IP address object that the
address will be assigned to. Click OK to save your changes.
For Gateway type, select VPN. For VPN type, select Policy-based. For Resource
Group, the resource group is determined by the Virtual Network that you select.
For Location, make sure it's showing the location that both your Resource Group
and VNet exist in.
30/865
www.zyxel.com
New > Networking > Create virtual network gateway > Choose public IP address >
Create public IP address
In the Azure Portal, navigate to New > Networking > Local network gateway. The
local network gateway refers to your ZyWALL/USG public IP and local subnet
settings.
On the Create local network gateway blade, specify a Name for your
ZyWALL/USG gateway object.
Specify public IP address of your ZyWALL/USG. It cannot be behind NAT and has
to be reachable by Azure. Address space refers to the address ranges on your
ZyWALL/USG local network. For Resource Group, select the resource group that
you created before. For Location, if you are creating a new local network
gateway, you can use the same location as the virtual network gateway. But, this
is not required. The local network gateway can be in a different location.
Click Create to create the local network gateway.
31/865
www.zyxel.com
New > Networking > Local network gateway
Locate your virtual network gateway (VPN_Connection_to_USG in this example)
and click Settings > Connection > Add connection, Name your connection. For
Connection type, select Site-to-site (IPSec). For Virtual network gateway, the
value is fixed because you are connecting from this gateway (VPN_GW_to_USG in
this example).
32/865
www.zyxel.com
For Local network gateway, select the local network gateway that you want to
use (VPN_Connection_to_USG in this example).
For Shared Key (PSK), the value here must match the value that you are using for
your ZyWALL/USG device. For Resource Group, select the resource group that you
created before. Click OK to create your connection.
VPN_Connection_to_USG > Settings > Connections > Add connection
When the connection is complete, you'll see it appear in the Connections blade
for your Gateway.
VPN_Connection_to_USG > Settings > Connections
33/865
www.zyxel.com
Test the IPSec VPN Tunnel
Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click
Connect on the upper bar. The Status connect icon is lit when the interface is
connected.
CONFIGURATION > VPN > IPSec VPN > VPN Connection
Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time
and the Inbound(Bytes)/Outbound(Bytes) traffic.
MONITOR > VPN Monitor > IPSec
34/865
www.zyxel.com
Go to Azure_Vnet_USG > Settings to check the tunnel DATA IN and DATA OUT.
VPN > VPN Settings > Currently Active VPN Tunnels
To test whether or not a tunnel is working, ping from a computer at one site to a
computer at the other. Ensure that both computers have Internet access.
PC behind ZyWALL/USG > Window 7 > cmd > ping 10.1.0.33
35/865
www.zyxel.com
PC behind MS Azure> Window 7 > cmd > ping 192.77.1.33
What Could Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1
Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the MS
Azure IKE Phase 1 setup list.
MONITOR > Log
36/865
www.zyxel.com
If you see that Phase 1 IKE SA process done but still get below [info] log message,
please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2
Settings are supported in the MS Azure IKE Phase 2 setup list.
MONITOR > Log
37/865
www.zyxel.com
How to Configure GRE over IPSec VPN Tunnel
This example shows how to use the VPN Setup Wizard to create a GRE over
IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to
configure the VPN tunnel between each site. When the GRE over IPSec VPN
tunnel is configured, each site can be accessed securely.
ZyWALL/USG GRE over IPSec VPN
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using USG110 (Firmware Version: ZLD 4.25) and ZyWALL 310
(Firmware Version: ZLD 4.25).
38/865
www.zyxel.com
Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network
(HQ)
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the FortiGate. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2 settings
and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type
39/865
www.zyxel.com
Type the Rule Name used to identify this VPN connection (and VPN gateway). You
may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to
be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
Configure Secure Gateway IP as the Branch’s WAN IP address (in the example,
111.250.184.80). Then, type a secure Pre-Shared Key (8-32 characters).
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network
connected to the ZyWALL/USG (Branch).
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
40/865
www.zyxel.com
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear
in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings
appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the
wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
41/865
www.zyxel.com
Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced
Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG
does not require to check the identity content of the remote IPSec router.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced
Settings > Authentication > Peer ID Type
Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show Advanced
Settings > Policy. Select Enable GRE over IPSec.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show Advanced
Settings > Policy
The GRE tunnel runs between the IPsec public interface on the HQ unit and the
Branch unit. Go to CONFIGURATION > Network > Interface > Tunnel > Add. Enter
the Interface Name (The format is tunnelx, where x is 0 - 3.). Enter the IP Address
and Subnet Mask for this interface. Specify My Address to be the interface or IP
address to use as the source address for the packets this interface tunnels to the
remote gateway. Enter Remote Gateway Address to be the IP address or
domain name of the remote gateway to this tunnel traffic.
42/865
www.zyxel.com
CONFIGURATION > Network > Interface > Tunnel > Add
43/865
www.zyxel.com
Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network
(Branch)
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the FortiGate. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2 settings
and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type
44/865
www.zyxel.com
Type the Rule Name used to identify this VPN connection (and VPN gateway). You
may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to
be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
Configure Secure Gateway IP as the HQ’s WAN IP address (in the example,
61.228.245.247). Then, type a secure Pre-Shared Key (8-32 characters).
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG (Branch) and Remote Policy to be the IP address range of the
network connected to the ZyWALL/USG (HQ).
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
45/865
www.zyxel.com
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear
in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings
appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the
wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
46/865
www.zyxel.com
Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced
Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG
does not require to check the identity content of the remote IPSec router.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced
Settings > Authentication > Peer ID Type
Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show Advanced
Settings > Policy. Select Enable GRE over IPSec.
CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show Advanced
Settings > Policy
The GRE tunnel runs between the IPsec public interface on the Branch unit and
the HQ unit. Go to CONFIGURATION > Network > Interface > Tunnel > Add. Enter
the Interface Name (The format is tunnelx, where x is 0 - 3.). Enter the IP Address
and Subnet Mask for this interface. Specify My Address to be the interface or IP
address to use as the source address for the packets this interface tunnels to the
remote gateway. Enter Remote Gateway Address to be the IP address or
domain name of the remote gateway to this tunnel traffic.
47/865
www.zyxel.com
CONFIGURATION > Network > Interface > Tunnel > Add
Test the GRE over IPSec VPN Tunnel
Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click
Connect on the upper bar. The Status connect icon is lit when the interface is
connected.
CONFIGURATION > VPN > IPSec VPN > VPN Connection
48/865
www.zyxel.com
Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up
Time and Inbound (Bytes)/Outbound (Bytes) Traffic.
MONITOR > VPN Monitor > IPSec
What Could Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase
1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the
Amazon VPC IKE Phase 1 setup list.
MONITOR > Log
If you see that Phase 1 IKE SA process done but still get below [info] log
message, please check ZyWALL/USG Phase 2 Settings. Make sure your
ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2
setup list.
MONITOR > Log
49/865
www.zyxel.com
50/865
www.zyxel.com
How to Configure Site-to-site IPSec VPN Where the Peer has
a Static IP Address
This example shows how to use the VPN Setup Wizard to create a site-to-site VPN
with the Peer has a Static IP Address. The example instructs how to configure the
VPN tunnel between each site. When the VPN tunnel is configured, each site can
be accessed securely.
ZyWALL Site-to-site IPSec VPN with a Static IP Address Peer
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ)In the
ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings wizard
to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next.
Note: All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This example
was tested using USG310 (Firmware Version: ZLD 4.25).
51/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2
settings and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type
52/865
www.zyxel.com
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the
rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
53/865
www.zyxel.com
Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the
example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters).
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG and Remote Policy to be the IP address range of the network
connected to the peer ZyWALL/USG.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
54/865
www.zyxel.com
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show
Advanced Settings. Configure Authentication > Peer ID Type as Any to let the
ZyWALL/USG does not require to check the identity content of the remote IPSec router.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings >
Authentication > Peer ID Type
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch)
55/865
www.zyxel.com
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click
Next.
Quick Setup > VPN Setup Wizard > Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2
settings and to use a pre-shared key. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type
56/865
www.zyxel.com
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Click
Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the
example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters).
57/865
www.zyxel.com
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG and Remote Policy to be the IP address range of the network
connected to the peer ZYWALL/USG.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
58/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show
Advanced Settings. Configure Authentication > Peer ID Type as Any to let the
ZyWALL/USG does not require to check the identity content of the remote IPSec router.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings >
Authentication > Peer ID Type
Test the IPSec VPN Tunnel
Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click
Connect on the upper bar. The Status connect icon is lit when the interface is
connected.
59/865
www.zyxel.com
CONFIGURATION > VPN > IPSec VPN > VPN Connection
Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time
and Inbound(Bytes)/Outbound(Bytes) Traffic.
MONITOR > VPN Monitor > IPSec
To test whether or not a tunnel is working, ping from a computer at one site to a
computer at the other. Ensure that both computers have Internet access (via the
IPSec devices).
PC at HQ Office > Window 7 > cmd > ping 192.168.10.33
PC at Branch Office > Window 7 > cmd > ping 192.168.1.33
60/865
www.zyxel.com
What Could Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1
Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-
Shared Key, Encryption, Authentication method, DH key group and ID Type to
establish the IKE SA.
MONITOR > Log
If you see that Phase 1 IKE SA process done but still get below [info] log message,
please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and
Branch sites must use the same Protocol, Encapsulation, Encryption,
Authentication method and PFS to establish the IKE SA.
MONITOR > Log
61/865
www.zyxel.com
Make sure the both ZyWALL/USG at the HQ and Branch sites security policies
allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP
uses IP protocol 50.
Default NAT traversal is enable on ZyWALL/USG, please make sure the remote
IPSec device must also have NAT traversal enabled.
62/865
www.zyxel.com
How to Configure Site-to-site IPSec VPN Where the Peer has a
Dynamic IP Address
This example shows how to use the VPN Setup Wizard to create a site-to-site VPN
with the Peer has a Dynamic IP Address. The example instructs how to configure
the VPN tunnel between each site. When the VPN tunnel is configured, each site
can be accessed securely.
ZyWALL Site-to-site IPSec VPN with a Dynamic IP Address Peer
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ)
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click
Next.
Note: All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This example
was tested using USG310 (Firmware Version: ZLD 4.25).
63/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2
settings and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type
64/865
www.zyxel.com
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the
rule to be Site-to-site with Dynamic Peer. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
Type a secure Pre-Shared Key (8-32 characters). Then, set Local Policy to be the
IP address range of the network connected to the ZyWALL/USG and Remote
Policy to be the IP address range of the network connected to the peer
ZYWALL/USG.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
65/865
www.zyxel.com
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings > Wizard completed
66/865
www.zyxel.com
Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show
Advanced Settings. Configure Authentication > Peer ID Type as Any to let the
ZyWALL/USG does not require to check the identity content of the remote IPSec router.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings >
Authentication > Peer ID Type
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch has
a Dynamic IP Address)
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings to
create a Site-to-site VPN Rule Name.
67/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > WelcomeQuick Setup > VPN Setup Wizard >
Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2
settings and to use a pre-shared key. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type
68/865
www.zyxel.com
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Click
Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the
example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters).
Set Local Policy to be the ZyWALL/USG local IP address that can use the VPN
tunnel and set Remote Policy to the peer ZyWALL/USG local IP address that can
use the VPN tunnel. Click OK.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
69/865
www.zyxel.com
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
70/865
www.zyxel.com
Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show
Advanced Settings. Configure Authentication > Peer ID Type as Any to let the
ZyWALL/USG does not require to check the identity content of the remote IPSec router.
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings >
Authentication > Peer ID Type
Test the IPSec VPN Tunnel
The Site-to-site VPN with Dynamic Peer can only initiate the VPN tunnel from the
peer has a dynamic IP Address. Go to CONFIGURATION > VPN > IPSec VPN > VPN
Connection, click Connect on the upper bar. The Status connect icon is lit when
the interface is connected.
71/865
www.zyxel.com
CONFIGURATION > VPN > IPSec VPN > VPN Connection
Go to MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and
Inbound(Bytes)/Outbound(Bytes) Traffic.
MONITOR > VPN Monitor > IPSec
To test whether or not a tunnel is working, ping from a computer at one site to a
computer at the other. Ensure that both computers have Internet access (via the
IPSec devices).
PC at HQ Office > Window 7 > cmd > ping 192.168.10.33
PC at Branch Office > Window 7 > cmd > ping 192.168.1.33
72/865
www.zyxel.com
What Could Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1
Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-
Shared Key, Encryption, Authentication method, DH key group and ID Type to
establish the IKE SA.
MONITOR > Log
If you see that Phase 1 IKE SA process done but still get below [info] log message,
please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and
Branch sites must use the same Protocol, Encapsulation, Encryption,
Authentication method and PFS to establish the IKE SA.
MONITOR > Log
73/865
www.zyxel.com
Make sure the both ZyWALL/USG at the HQ and Branch sites security policies
allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP
uses IP protocol 50.
Default NAT traversal is enable on ZyWALL/USG, please make sure the remote
IPSec device must also have NAT traversal enabled.
74/865
www.zyxel.com
How to Configure IPSec Site to Site VPN while one Site is
behind a NAT router
This example shows how to use the VPN Setup Wizard to create a IPSec Site to
Site VPN tunnel between ZyWALL/USG devices. The example instructs how to
configure the VPN tunnel between each site while one Site is behind a NAT
router. When the IPSec Site to Site VPN tunnel is configured, each site can be
accessed securely.
ZyWALL/USG Site to Site VPN while one Site is behind a NAT router
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ)
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks.
This example was tested using USG110 (Firmware Version: ZLD 4.25) and
ZyWALL 310 (Firmware Version: ZLD 4.25).
75/865
www.zyxel.com
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the FortiGate. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2 settings
and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway). You
may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to
be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
76/865
www.zyxel.com
Configure Secure Gateway IP as the Branch’s WAN IP address (in the example,
172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters).
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network
connected to the ZyWALL/USG (Branch).
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)
77/865
www.zyxel.com
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear
in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings
appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the
wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced
Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG
does not require to check the identity content of the remote IPSec router.
78/865
www.zyxel.com
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced
Settings > Authentication > Peer ID Type
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch)
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the FortiGate. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
79/865
www.zyxel.com
Choose Express to create a VPN rule with the default phase 1 and phase 2 settings
and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway). You
may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to
be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
80/865
www.zyxel.com
Configure Secure Gateway IP as the Branch’s WAN IP address (in the example,
172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters).
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network
connected to the ZyWALL/USG (Branch).
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)
81/865
www.zyxel.com
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear
in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings
appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the
wizard.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced
Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG
does not require to check the identity content of the remote IPSec router.
82/865
www.zyxel.com
CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced
Settings > Authentication > Peer ID Type
Set Up the NAT Router (Using ZyWALL USG device in this example)
Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface
on which packets for the NAT rule must be received. Specified the User-
83/865
www.zyxel.com
Defined Original IP field and Type the translated destination IP address that this
NAT rule supports.
CONFIGURATION > Network > NAT > Add
Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be
enabled at the firewall for the following IP protocols and UDP ports:
IP protocol = 50 → Used by data path (ESP)
IP protocol = 51 → Used by data path (AH)
UDP Port Number = 500 → Used by IKE (IPSec control path)
UDP Port Number = 4500 → Used by NAT-T (IPsec NAT traversal)
84/865
www.zyxel.com
CONFIGURATION > Security Policy > Policy Control
Test the IPSec VPN Tunnel
Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click
Connect on the upper bar. The Status connect icon is lit when the interface is
connected.
CONFIGURATION > VPN > IPSec VPN > VPN Connection
Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up
Time and Inbound (Bytes)/Outbound (Bytes) Traffic.
MONITOR > VPN Monitor > IPSec
85/865
www.zyxel.com
To test whether or not a tunnel is working, ping from a computer at one site to a
computer at the other. Ensure that both computers have Internet access (via the
IPSec devices).
PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33
PC behind ZyWALL/USG (Branch) > Window 7 > cmd > ping 10.10.10.33
What Could Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase
1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre -
Shared Key, Encryption, Authentication method, DH key group and ID Type to
establish the IKE SA.
MONITOR > Log
86/865
www.zyxel.com
If you see that Phase 1 IKE SA process done but still get below [info] log
message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the
HQ and Branch sites must use the same Protocol, Encapsulation, Encryption,
Authentication method and PFS to establish the IKE SA.
MONITOR > Log
Make sure the both ZyWALL/USG at the HQ and Branch sites security policies
allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP
uses IP protocol 50.
Default NAT traversal is enable on ZyWALL/USG, please make sure the remote
IPSec device must also have NAT traversal enabled.
87/865
www.zyxel.com
How to Configure Hub-and-Spoke IPSec VPN
This is an example of a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub
and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic
passes between branches via the hub (HQ). Traffic can also pass between
spoke-and-spoke through the hub. Here are two methods to set up hub-and-
spoke VPN connections: 1. With VPN Concentrator 2. Without VPN Concentrator.
With just two branch offices, you could just manually set up VPN tunnels between
HQ and the branches. With many branches it's best to use the VPN Concentrator
to set up branch-HQ tunnels automatically.
ZyWALL/USG Hub-and-Spoke VPN Example
Note: All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks. This example
was tested using USG310 (Firmware Version: ZLD 4.25).
88/865
www.zyxel.com
Set Up the IPSec VPN Tunnel on the ZyWALL/USG by Using VPN Concentrator
Hub_HQ-to-Branch_A
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click
Next.
Quick Setup > VPN Setup Wizard > Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2
settings and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
89/865
www.zyxel.com
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the
rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
90/865
www.zyxel.com
Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in
the example, 172.16.20.1). Type a secure Pre-Shared Key (8-32 characters) which
must match your Branch A’s Pre-Shared Key.
Set Local Policy to be the IP address range of the network connected to the
Hub_HQ and Remote Policy to be the IP address range of the network connected
to the Branch A. Click OK.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary)
91/865
www.zyxel.com
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings > Wizard
Completed
Hub_HQ-to-Branch_B
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click
Next.
92/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2
settings and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the
rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
93/865
www.zyxel.com
Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in
the example, 172.16.30.1). Type a secure Pre-Shared Key (8-32 characters) which
must match your Branch B’s Pre-Shared Key.
Set Local Policy to be the IP address range of the network connected to the
Hub_HQ and Remote Policy to be the IP address range of the network connected
to the Branch B. Click OK.
94/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings > Wizard
Completed
95/865
www.zyxel.com
Hub_HQ Concentrator
In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator,
add a VPN Concentrator rule. Select VPN tunnels to be in the same member
group and click Save.
96/865
www.zyxel.com
Spoke_Branch_A
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click
Next.
Quick Setup > VPN Setup Wizard > Welcome
97/865
www.zyxel.com
Choose Express to create a VPN rule with the default phase 1 and phase 2
settings and use a pre-shared key to be the authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the
rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
98/865
www.zyxel.com
Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in
the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which
must match your Hub_HQ’s Pre-Shared Key.
Set Local Policy to be the IP address range of the network connected to the
Spoke_Branch_A and Remote Policy to be the IP address range of the network
connected to the Hub_HQ. Click OK.
99/865
www.zyxel.com
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in
the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear
in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings > Wizard
Completed
100/865
www.zyxel.com
Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from
Spoke_Branch_A to Spoke_Branch_B.
Click Create new Object and set Address to be the local network behind the
Spoke_Branch_B. Select Source Address to be the local network behind the
Loading...