-
Why does the remote VPN with AD authentication fail on the USG Flex H model?
Question : The user may encounter an issue where they can obtain the VPN provisioning file from the firewall using AD authentication, but cannot establish an IKEv2 VPN connection with AD authentication. Why does the remote VPN with AD authentication fail on the USG Flex H model? The user can get the VPN provisioning file…
-
How do I enable Remote Access VPN using the Remote Configurator on a USG Flex H model?
Question : How do I enable Remote Access VPN using the Remote Configurator on a USG Flex H model? Answer : Navigate to Device > Firewall of the Nebula Control Center. Navigate to Live Tool > Remote configurator > Click 'Establish' to initiate the remote link. Copy the remote link. Paste the remote link into your browser,…
-
Does the Nebula firewall need to be licensed to allow VPN client connectivity?
Question: Does the Nebula firewall need to be licensed to allow VPN client connectivity? Answer: We offer Remote Access VPN (IKEv2) and SSL VPN (OpenVPN). Only the SecuExtender VPN client software requires a license for client access.
-
Does Zyxel allow VPN client mode like NordVPN?
Question: Does Zyxel allow VPN client mode like NordVPN? Answer: No, Zyxel firewalls do not support a client mode like NordVPN.
-
How to configure the remote access VPN subnet to connect with internal network devices?
Question: How to configure the remote access VPN subnet to connect with internal network devices? Answer: In the default setting, the address pool of remote access VPN is belonging to "IPSec_VPN" zone. And it is allowed to Intranet network by default Policy Control rule. If you have network connection issue, you may have a…
-
How to Troubleshoot When a Remote Access VPN Client Cannot Access an Internal Server?
1. Confirm VPN Tunnel Status Navigate to: VPN Status > IPSec VPN > Remote Access VPN Verify whether the VPN client is listed as connected. Ensure the VPN tunnel is successfully established to the firewall. 2. Check VPN Client IP Assignment Confirm that the VPN virtual NIC has been assigned an IP address by the firewall.…
-
How to check SecuExtender IPsec VPN ClientError Codes after Software Activation?
Question: How to check SecuExtender IPsec VPN ClientError Codes after Software Activation Answer: Below is a table describing the main error codes that may occur when activating the software. Error number Description Decision Error 000: Internal error The software cannot complete the activation process. This can happen if…
-
[H series]I have enabled 2FA required for remote VPN, why I have traffic before authentication?
Scenario User enables 2FA authentication for remote access VPN, however, some users encounter that they have traffic before pass 2FA authentication. Root cause If you use Windows native VPN client, you will need to manually connect to the authentication page. Only the SecuExtender will automatically pop-out the…
-
How to Set Up Nebula site-to-site VPN on the USG FLEX H and USG Lite 60AX?
This example shows how to use the USG Lite 60AX to establish IPSec Site to Site VPN tunnel with USG FLEX H series models using the Nebula Control Center. Once the Site-to-Site VPN tunnel is established, LAN hosts can communicate with each other through the VPN tunnel seamlessly. Requirements Both the USG FLEX H and USG…
-
I can't connect SSL VPN VPN ?
Why is the Zyxel SSL VPN not working? It seems that there was an issue with the SSL VPN configuration on the Zyxel firewall. To resolve this issue, follow these steps: * Ensure you allow port 10443 from the WAN to the ZyWALL firewall. This can be done by adding port 10443 to the service group 'Default_Allow_WAN_To_ZyWALL'.…
-
Why couldn't the H Series Firewall join the Active Directory?
Scenario: You have site to site VPN, where the AD or DNS server are located in VPN peer subnet. Question: Why the H series Firewall couldn't join the AD as well as DNS query or some local out traffic which need to through VPN tunnel. Solution: * It is highly recommended to use a Route-Based VPN for such local-out traffic…
-
How to Enable DPD in H Series Devices ?
Question: How to Enable DPD in H Series Devices ? Answer: DPD is default enabled, you can find at advance settings.
-
How to Enable NAT Traversal in H Series Devices for IKEv1?
How to Enable NAT Traversal in H Series Devices for IKEv1? When setting up IKEv1 on H Series devices, you may notice options for NAT Traversal (NAT-T) Are they enabled by default, or do they require configuration? Answer: In H series, NAT Traversal is enabled for IKEV1 default. You can also enable "UDP Encapsulation" to…
-
What does the message "Peer not reachable" in the log mean?
Question: What does the message "Peer not reachable" in the log mean? Answer: It mean the VPN peer gateway does not reply ike negotiation. Please kindly check the peer gateway status if you found this logs.
-
VPN Orchestrator
VPN Orchestrator enables you to automatically create Virtual Private Network (VPN) connections between sites within an organization. This allows the Security Gateway of each site and the Nebula Devices behind it to communicate securely. There are two topologies you can use when creating a site-to-site VPN, Site-to-Site and…
-
How to Set Up Nebula Hub-and-Spoke VPN and the USG FLEX H series model as the Spoke site?
This example shows how to use the Nebula firewalls (USG FLEX/ATP series models) to establish Hub-and-Spoke VPN tunnel between USG FLEX H series devices. It explains how to configure the Nebula Site-to-Site VPN using the Nebula Control Center. Once the Hub-and-Spoke VPN tunnel is established, LAN hosts can communicate with…
-
How to Set Up Nebula Hub-and-Spoke VPN and the USG FLEX H series model as the Hub site?
This example shows how to use the USG FLEX H series model to establish Hub-and-Spoke VPN tunnel between Nebula firewalls (USG FLEX/ATP series models). It explains how to configure the Nebula Site-to-Site VPN using the Nebula Control Center. Once the Hub-and-Spoke VPN tunnel is established, LAN hosts can communicate with…
-
How to Set Up Nebula site-to-site VPN on the USG FLEX H series models?
This example shows how to use the Nebula firewalls (USG FLEX/ATP series models) to establish IPSec Site to Site VPN tunnel between USG FLEX H series models. It explains how to configure the Nebula Site-to-Site VPN using the Nebula Control Center. Once the Site-to-Site VPN tunnel is established, LAN hosts can communicate…
-
How to set VPN Aggressive Mode on USG FLEX H?
Question: I cannot adjust the Negotiation Mode on web GUI. How can I set the VPN Negotiation Mode to Aggressive on a USG FLEX H firewall? Answer: Currently, the Negotiation Mode does not have a GUI configuration option. You can set it using CLI instead. Assuming you have already added a site-to-site VPN named testvpn1…
-
How to trace ipsec debug log on FLEX H series
Question: How to trace ipsec debug log on FLEX H series Answer: Please log in ssh and perform "cmd debug ipsec trace log" and please provide the output message for Zyxel Support for further checking. For example: 700H> cmd debug ipsec trace log Oct 8 15:23:31 10[CFG] loaded 0 entries for attr plugin configuration Oct 8…