vpn ipsec

Antonio967
Antonio967 Posts: 7
Good morning,
I have configured a vpn ipsec client to site on USG20 and i have configured user and provisioning, on my pc I have installed ZyWall ipsec vpn client (IKE V1), when during authentication I get the following error: "Server not found! (check the server address / port), both are correct ...
I don't know what to check anymore ... If I authenticate from the internal network, an authentication error or incorrect password occurs, but they are correct ... Please help me!!!

All Replies

  • mMontana
    mMontana Posts: 584  Guru Member
    USG20 or USG20-VPN?
    On WAN interface there's configured a private IP Address or a public one?
  • Antonio967
    Antonio967 Posts: 7
    Sorry, you're right ... USG20-VPN, there is a private IP on the WAN interface. Port forward router: external IP    protocol     external port    Internal IP internal     port network     enabled IP
    xxx               tcp-udp      0-65535            192.168.1.254              0-65535           all
    192.168.1.254 is USG20-VPN.
  • Antonio967
    Antonio967 Posts: 7
    Update: The WAN to Device policy was missing https, now the provisioning works but the tunnel does not open ... sending SA Phase 1 and then ABANDONING CONNECTION
  • mMontana
    mMontana Posts: 584  Guru Member
    IDK which device is your router and if that rule works as you expect.
    You can try this series instead.
    Port forward router:
    external IP    protocol     external port    Internal IP internal     port network     enabled IP
    xxx               TCP           443                   192.168.1.254          443                  all
    xxx               UDP          500                   192.168.1.254           500                  all
    xxx               UDP          1701                 192.168.1.254           1701                all
    xxx               UDP          4500                 192.168.1.254           4500                all
    Port U 1701 is for L2TP
    Also, not knowing how the router works, consider to verify alternatively if there's someting like DMZ or firewall rules.

    Then on your USG20-VPN should be present Security policies that allow connection to 3 of these ports for provisioning from WAN to Zywall (T 443, U 500, U4500) and the IPSec gateway MUST be NAT-Traversal enabled.

    Current software (5.30) won't like that much full world access to administration/provisioning port, so write down at least some small group of geo-ip allowed nations to access T 443 and all other ports.
    Consider as alternative to change the default T 443 to something customized, but adapt port forwarding to the same port after changin that in USG20-VPN.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 915  Zyxel Employee
    Hi @Antonio967,
    Does upper layer router have option to enable VPN passthrough? 

  • Antonio967
    Antonio967 Posts: 7
    Update: The ISP was blocking the VPN service, now everything works !!! I have another question ...

    With the Tunnel open, I no longer access the resources of the local network but only those of the remote network, can I have access to both at the same time?
    Thank you...
  • MikeForshock
    MikeForshock Posts: 31  Freshman Member
    Update: The ISP was blocking the VPN service, now everything works !!! I have another question ...

    With the Tunnel open, I no longer access the resources of the local network but only those of the remote network, can I have access to both at the same time?
    Thank you...
    If they are the same IP range it may not.

Security Highlight