VPN IPsec problem

Hello everyone!
We have a VPN IPsec between ZyWALL USG 100 (Office) and ZyWALL USG 20 (NB). Sometimes VPN connection is broken. We are simply reboot devices and connection has restored but this is not a solution to the problem.
I tried configure a VPN connection, gateways in ZyWALL USG 100 (Office) and ZyWALL USG 20 (NB) but it won't be for long.

Thanks for help!


All Replies

  • smb_corp_user
    smb_corp_user Posts: 145  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Although I do not have an immediate solution, I would like to suggest where to look for the reason to your connection being dropped after a shorter time than expected. Your logs show a distinct error message saying "No rule found" for how to handle a specific type of package, and therefore dropping the type of package in question. This leads to a disconnect, because that specific type of package needs to be allowed at both ends for the connection to stay open.

    Office Endpoint: Needs a new IPSec rule to allow ICMP packages from Source (192.168.0.128, ZyWALL USG 20) to Destination (192.168.1.1, ZyWALL USG 100). You may need to specify the exact type of ICMP package (I don't have the manual immediately available to me) to limit the traffic to only the expected access, so it would be helpful if you or someone else can provide that information for your rule.

    NB Endpoint: Needs a new IPSec rule to allow TCP and UDP packages from Source (Office Subnet 192.168.1.0/24) to Destination (NB Subnet 192.168.0.0/24). Some of the TCP/UDP ports are repeated in your log, so it could be of interest to see if you can limit the number of ports for traffic allowed in the rule to be created on the NB side.

    Unfortunately it has been too long since I last worked on setting up rules for VPN connections, so I don't remember all the details needed for the connection to remain stable. I hope some of the other forum members may have helpful suggestions for you, should the ZyWALL manual be insufficient for your needs.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @EvanYamasaki
    I recommend upgrading your USG100 and USG20 to the latest version, V3.30P9 (WK48). Additionally, enable both the Nail-up and Connectivity check features in the "VPN Connection" setting to automatically recover VPN tunnels and prevent unavailable connection again.
  • terrylu
    terrylu Posts: 8
    First Anniversary Friend Collector First Comment

    換個廠牌,這個問題就一勞永逸…

    資訊的目的,在於簡化,

    而ZYXEL 在於複雜化

Security Highlight