Zywall USG 20 VPN from site to site with Orange provider


Actually i have one site which uses an ADSL connection and mount two differents VPN to two other sites.

We're about to migrate the connexion from ADSL to Fiber with the French provider Orange so i'm supposed to use the Fiber connection to connect instead of the ADSL.

I have absolutely no idea how to do it. I guess nothing will change about the VPN but i'm trying to understand what i should change on the Zywall and my provider's device (Livebox Pro 5).

The Livebox should be in front of the zywall. The zywall is also the DHCP server for the LAN.

Does someone knows what i'm supposed to do or can provide a documentation ?



All Replies

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Did you asked you provider if you're using PPPoE or something else?
  • strappazon
    I didn't ask the question but it seems that fiber connexions don't use PPPoE.
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    It depends on how it's implemented. And it's... ISP game, you have to deal to what they say.

    Assuming ...
    • is the subnet of your next Livebox Pro 5, you have to triple check that is not used in any of the networks of the sites, LAN or IPSEC side....
    • is the IP address of the LiveBox Pro 5

    The subnet is already used? Ever before connecting the cable to the WAN port of your USG20-VPN, connect a computer directly to the LiveBox Pro 5, then change the IP and the subnet of your "new" router.
    Take a note on what is your public (I hope static) IP address of your new connection.

    After the change... assuming:

    • is the subnet not used in any network segment of your USG20-VPN and of the endpoints
    • is the IP of your Livebox Pro 5
    • Optional: wlan of LiveBox Pro 5 is disabled
    • a.b.c.d is the public ip address of your connection
    • you already have saved settings and rebooted LiveBox Pro 5 as check (nice occasion to take time on how long takes the device from power on to Internet working)
    Go like that
    • connect your computer to USG20-VPN  LAN1 side
    • login to the device
    • create an object "Address" for your new public ip addres (optional but useful)
    • change the WAN interface ip address to, subnet mask gateway
    • connect ethernet wire between LiveBox Pro 5 LAN side and USG20-VPN WAN side
    • verify that you're connected to Internet, verify that your public IP address is still a.b.c.d
    • connect to your Livebox Pro 5
    • create 3 PortForwarding rules for ports 500, 1701, 4500 UDP with as destination. No change of port number (public ports equal to private ports)
    • I don't know LiveBox Pro 5 as device, so I don't know if there's any kind of setting about firewall and/or DMZ/Public host. You may have to operate also with that.
    • Optional: disable UPNP on LiveBox Pro 5 if present. It's a comfortable feature, but IMVHO is... unsafe
    • contact one of the endpoint of your VPNs, change the public ip address they are using to connect you to a.b.c.d
    • after they changed the ip address, disable the IpSec Gateway, wait 10 seconds, then enable it
    • wait for VPN to go live (or do something to make go live)
    • if the issue is solved, change the public ip address of the other endpoint
    This... more or less, should be the gig. The first time take... quite a lot of time and... being cool and doing that with calm and precision can help.

    Why the object? It's useful for L2TP connections (cfr the Zyxel documentation)
  • strappazon

    Thank a lot for your reply. I appreciate. I'm gonna try to do this and let you know how it is going. as you said, i'm afraid it's going to take a lot of time and will drive me mad ;-)


  • strappazon

    Sorry for the late reply but i've been very busy at work.

    I've tried the VPN Ipsec site-to-site  connexion  with a Fortigate 90D connected to my provider router and it worked well (we have a Fortigate 101F on the other side / headquarter).

    Anyway, when i want to reproduce the same thing with the Zywall USG 20w, it doesn't work.

    here's my config with the fortinet:

    - on both side we created a custom tunnel.

    On the Branch side, the router IP is: I've put the WAN interface of the fortigate in the DMZ of the router. IP is

    the LAN interface of the Fortigate on has the IP and is also a DHCP relay (DHCP server is on our LAN).

    Like i said, the tunnel work and everything is ok on the client.

    Actually, on the Zywall, the configuration is the following:



    Bridge: (lAN1 is a member of the bridge).

    I've tried to modify the WAN IP with an address who is i nthe router DMZ, i changed the route, and all the adresses of the interfaces (we(re also moving from to, etc...

    I can't even get an internet access...

    i must say i don't know what's wrong.

    If you have any idea...


Security Highlight