VPN IPsec problem

EvanYamasaki

Hello everyone!

We have a VPN IPsec between ZyWALL USG 100 (Office) and ZyWALL USG 20 (NB). Sometimes VPN connection is broken. We are simply reboot devices and connection has restored but this is not a solution to the problem.

I tried configure a VPN connection, gateways in ZyWALL USG 100 (Office) and ZyWALL USG 20 (NB) but it won't be for long.

Thanks for help!

smb_corp_user

Although I do not have an immediate solution, I would like to suggest where to look for the reason to your connection being dropped after a shorter time than expected. Your logs show a distinct error message saying "No rule found" for how to handle a specific type of package, and therefore dropping the type of package in question. This leads to a disconnect, because that specific type of package needs to be allowed at both ends for the connection to stay open.

Office Endpoint: Needs a new IPSec rule to allow ICMP packages from Source (192.168.0.128, ZyWALL USG 20) to Destination (192.168.1.1, ZyWALL USG 100). You may need to specify the exact type of ICMP package (I don't have the manual immediately available to me) to limit the traffic to only the expected access, so it would be helpful if you or someone else can provide that information for your rule.

NB Endpoint: Needs a new IPSec rule to allow TCP and UDP packages from Source (Office Subnet 192.168.1.0/24) to Destination (NB Subnet 192.168.0.0/24). Some of the TCP/UDP ports are repeated in your log, so it could be of interest to see if you can limit the number of ports for traffic allowed in the rule to be created on the NB side.

Unfortunately it has been too long since I last worked on setting up rules for VPN connections, so I don't remember all the details needed for the connection to remain stable. I hope some of the other forum members may have helpful suggestions for you, should the ZyWALL manual be insufficient for your needs.

Zyxel_Stanley

Hi @EvanYamasaki
I recommend upgrading your USG100 and USG20 to the latest version, V3.30P9 (WK48). Additionally, enable both the Nail-up and Connectivity check features in the "VPN Connection" setting to automatically recover VPN tunnels and prevent unavailable connection again.

terrylu

換個廠牌,這個問題就一勞永逸…

資訊的目的,在於簡化,

而ZYXEL 在於複雜化