VPN - Zyxel Community

What does this logs "The tunnel [SA_XXX_XX] dns update is failed in Nebula" mean?
Question: What does this logs "The tunnel [SA_XXX_XX] dns update is failed in Nebula" mean? Answer: About getting the log "The tunnel [SA_XXX_XX] dns update is failed in Nebula ", this error often occurs because there is unused WAN interface is attempting to initiate the VPN session, but it is down. To resolve this issue,…
How to set up IPSec VPN for branches to use the Internet at the head office?
Question: How to set up IPSec VPN for branches to use the Internet at the head office Scenario: I have a USG FLEX 50H (branch) connected to a USG FLEX 200 (headquarter) via IPSec VPN. I want the branch computers to be able to access the headquarter using the headquarter's Internet. Branch - USG FLEX 50H LAN : 192.168.10.1…
How to configure VPN settings when there are multiple WAN interfaces?
Question: How to configure VPN settings when there are multiple WAN interfaces? Answer: On H Series devices, you can allow a site-to-site VPN to work across multiple WAN interfaces by setting “My Address” to 0.0.0.0 in VPN Phase 1. This enables the firewall to use any available WAN interface, providing WAN redundancy while…
Why does DNS resolution fail when using a VTI interface through a site-to-site VPN?
Question: Why couldn’t my DNS server resolve domain names when using a VTI interface through a site-to-site VPN, and why did it only start working after specifying the DNS server’s IP address directly? Answer: DNS resolution failed because the VTI (Virtual Tunnel Interface) was not fully configured to allow proper traffic…
Why Can't I Connect to VPN on Windows 11 When Using DH14?
Question: I cannot connect to my IKEv2 VPN on Windows 11, even though the setup is correct. Why is the VPN connection failing? Answer: Windows 11 no longer supports the DH14 encryption group used in some VPN configurations. If your Zyxel firewall VPN proposal still includes DH14, Windows 11 will reject the connection. To…
How to Resolve the “Certificate Not Trusted” Error When Using StrongSwan VPN?
Question: My StrongSwan VPN has stopped working, and I am receiving a “certificate not trusted” error. What should I do? Answer: If you encounter this issue, follow the steps below to troubleshoot and resolve the problem: (1) Delete the existing VPN profile from the StrongSwan app on your device. (2) Access the Nebula…
How can I resolve the issue of the “OK” button being greyed out in macOS SecuExtender?
Question: I would like to manually create a VPN tunnel on macOS SecuExtender. When importing a new certificate, the OK button remains greyed out. How can I resolve the issue of the “OK” button being greyed out in macOS SecuExtender? Answer: (1)Import the certificate using macOS Keychain Access. Open Keychain Access and…
How to Configure Bandwidth Management (BWM) for VPN on the USG FLEX Series?
Question: How to Configure Bandwidth Management (BWM) for VPN on the USG FLEX Series? On the USG FLEX series, Bandwidth Management (BWM) works only when the VPN is configured as a route-based VPN (VTI). Please note that policy-based VPNs do not support BWM. Answer: Step-by-Step Configuration: (1) Configure the VPN as a…
IPSec VPN Session Reauthentication Issues and Workaround
Question: How to manage IPSec VPN session reauthentication when the GUI setting isn't working, and what is the permanent solution? Answer: The reauthentication/lease time setting for IPSec VPN sessions may not function as expected through the User Interface (GUI), leading to sessions remaining active beyond their…
How to Fix StrongSwan VPN “Untrusted Certificate” Issue ?
Question: A client using StrongSwan VPN encountered an issue where the VPN stopped working. The log indicated a problem with the VPN certificate being untrusted. Answer: (1) Remove the existing VPN profile from the StrongSwan app on the device. (2) Re-download the VPN profile from the Nebula server. (3) Re-import the…
Why can’t DNS forwarding traffic receive a response through the VPN tunnel?
Scenario: I have configured a Site-to-Site VPN tunnel (Route-Based VPN) as shown in the topology below. I configured DNS forwarding on Firewall #2, and the DNS server IP is 192.168.101.1. However, Firewall #2 cannot receive DNS responses from Firewall #1. How can this issue be resolved? Reason: When creating a Site-to-Site…
How to Set Up IKEv2 VPN with EAP-MS-CHAPv2 on Ubuntu 24.04 Using strongSwan?
Question: How do I configure an IKEv2 VPN client on Ubuntu 24.04 to connect to a Zyxel USG FLEX H firewall using EAP-MS-CHAPv2 authentication with split-tunnel? Answer:On Ubuntu 24.04, NetworkManager's IKEv2 plugin (charon-nm) does not support EAP-MS-CHAPv2, which is required by Zyxel firewalls. When attempting to connect…
How to send syslog logs over site to site VPN?
This example illustrates how to send logs of USG FLEX 100H to the syslog server over route-based VPN. Topology: USG FLEX 100H----VPN----USG FLEX 500H(ge3: 192.168.97.1/24)------syslog server(192.168.97.33) Steps: Use wizard to configure route-based VPN on both USG FLEX H firewalls. Ensure the VTI (Virtual Tunnel Interface)…
Why Can't the SSL VPN Configuration File Be Downloaded from the USG FLEX H?
Question: I get an HTTP 400 error when attempting to download the SSL VPN configuration file from the USG FLEX 50HP interface. Why can't the SSL VPN configuration file be downloaded from the USG FLEX H? Answer: The issue was due to the selected Incoming Interface in the SSL VPN settings. The selected interface "ge1" did…
Does the USG Flex H model support multiple split tunnels for the Windows native VPN client?
Question: Does the USG Flex H model support multiple split tunnels for the Windows native VPN client? Answer: Yes, the user can modify the VPN configuration file to enable this feature. Step 1: Ensure the remote VPN connection is configured as a Full Tunnel, and download the Windows VPN installation script from the uOS…
How to Enable Hidden Crypto Algorithms on USG FLEX H firewall?
Question: For enabling hidden crypto algorithms like AES, users need to use specific commands. The legacy method, crypto algorithm-hide disable, is not directly applicable on USG FLEX H fireall. How to enable hidden crypto algorithms on USG FLEX H firewall? Answer: If you need to enable hidden crypto algorithms, such as…
How to configure L2TP VPN on USG FLEX H on Nebula?
Question: How to configure L2TP VPN on USG FLEX H on Nebula? "Client Access VPN" is missing from Firewall settings. Answer: L2TP VPN is not supported on the USG FLEX H series. USG FLEX H support IKEv2 for Remote Access VPN configuration. You can configure IPSec VPN (IKEv2) instead. If you are using the Nebula platform,…
How do I modify the OpenSSL VPN .ovpn file to support split tunnel on USG Flex H models?
Question: When the USG Flex H is configured for Full Tunnel mode but Split Tunnel is also required for specific clients, you can define custom split routing by modifying the SSL VPN configuration file (.ovpn). This document outlines the steps: How do I modify the OpenVPN .ovpn file to support split tunnel? Answer : Please…
How to troubleshoot Internet connection issues with Tailscale and USG FLEX H as Exit Node?
Question: How to troubleshoot Internet connection issues with Tailscale and USG FLEX H as Exit Node? Answer: If you're experiencing issues with internet connectivity while using Tailscale with the USG FLEX H as an exit node, follow these steps to resolve the issue: Ensure the Exit Node is Enabled: Log in to the Tailscale…
Why can't I connect to the SSL VPN?
Question: Why can't I connect to the SSL VPN, and it seems that port 10443 TCP is closed? Answer: If you are experiencing issues connecting to the SSL VPN through port 10443, follow these steps to resolve the problem: Ensure that the service "SSLVPN" is added to the service group "Default_Allow_WAN_To_ZyWALL". This step…

Welcome!

It looks like you're new here. Sign in or register to get started.