VPN on USG20-VPN - connected, but not passing traffic

ZyxelNewb Posts: 10
First Comment
edited April 2021 in Security
Hi All! I'm new to the Zyxel world, most of my experience is with Palo Alto firewalls. I've setup a basic IPSec remote access VPN using the Quick Configuration Wizard (https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015527&lang=EN). I'm running a USG20-VPN with firmware version 4.32 (ABAQ.0) 2018-07-12.   My remote client is a Windows 10 PC using the ZyWall IPSec Client.

I followed the directions in the KB above, and am able to open my VPN connection and connect to the USG20-VPN. I'm unable to ping the VPN gateway, or any clients behind the USG20-VPN from my remote client. From my client behind the USG20-VPN, I am able to ping the gateway, but not my remote VPN client (yes, I've verified ping is enabled on both clients). If I look under the VPN Monitor, I can see that inbound traffic is being passed into the Zyxel, but outbound traffic is still sitting at 0 bytes.  So for some reason, outbound traffic on the VPN tunnel is not sending for some reason.  

I'm stumped as to what is causing this issue - can anyone help provide some insight into this issue? Thanks!

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ZyxelNewb  

    The IPSec VPN Client will create a routing table automatically after VPN tunnel is established.

    So it means, in local policy setting must be the IP subnet which is belonging to your USG. (e.g. LAN1 subnet)

    If you entered a subnet which not belonging USG, then traffic will not pass through to VPN tunnel.

    You can make sure if VPN local policy setting is correct, and also check policy control setting avoids traffic been dropped.

  • TRM
    TRM Posts: 1
    First Comment
    I am having the same issue.  

    I do not understand what you are saying though.  Where do I check to make sure that the Subnet is allowed to pass traffic?  What policy control settings specifically should be checked?

    Also on my windows 10 device, if I do a 'route print' I do not see a route setup to send any of my traffic over the VPN connection
  • I'm in the same position, I haven't been able to get this issue figured out yet either. The subnet I entered is the LAN subnet being used by the USG device, but I'm not getting any routing to my internal LAN subnet from the VPN client.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ZyxelNewb,


    Enable Mode config for IPSec VPN client connection

    Go to CONFIGURATION > VPN > IPSec VPN > VPN connection.

    Then you don't have to manually configure VPN client address on the ZyWALL IPSec VPN client.


    Attached are the guide and configuration file for your reference.

    In the configuration file, just modify the WAN IP address.

    The pre-shared key is 1234512345 and the password for the user "vpntest" is 123456.

    You can modify the value by yourself.

    On the ZyWALL IPSec VPN client, follow the steps in the guide to download VPN configuration from the server.


    Test Result:

    VPN client can ping LAN gateway successfully.

    Ping successfully.

  • ZyxelNewb
    ZyxelNewb Posts: 10
    First Comment
    edited November 2018
  • I've configured the VPN per the documentation you've attached, but I can't get my user to log in. It keeps showing "Authentication Failed: Wrong login/password". I'm 100% sure the username and password are correct though.  In the system logs, I see a log entry for my vpn user logged into the device from my client IP address, then immediately follows with a second entry that my vpn user has logged out from the device. Thoughts on what my issue is at this point? I've attached a slightly scrubbed version of my config as well, thanks for your help.
  • ZyxelNewb
    ZyxelNewb Posts: 10
    First Comment
    edited November 2018
    I should also note, that I've uploaded your config file (the only thing I've changed was the LAN 1 address/subnet, because the was already being used on the WAN side), and am able to connect to the USG20 now via IPSec VPN with my test client (I still don't see what's different in your config, vs what I had setup with the QuickVPN wizard though).  However - the VPN still won't pass traffic. I can't get to anything on the LAN 1 interface from my VPN client, nor can I get to any internet resources via the VPN client. I am getting an IP address on the VPN client subnet of 192.168.99.x, which seems to be right.
  • ZyxelNewb
    ZyxelNewb Posts: 10
    First Comment
    edited November 2018
    Disregard, I forgot to update the address in the WIZ_VPN_PROVISIONING_LOCAL group to the subnet I changed it to. 

    I'm still not sure of what the difference is between your working config that you posted, and my config.  Even if I start from a factory reset, run through the VPN wizard per your documentation, I still get the error about the invalid username/password?
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Although you add a rule in Configuration Provisioning, the rule is not activated.
    VPN rule settings can only be retrieved when the entry is "activated" (and Enable Configuration Provisioning is also selected).

    Besides, you need to create a user for VPN provisioning because admin account cannot be used for provisioning even if “any” is configured as Allowed User.

  • Erha
    Erha Posts: 4
    First Anniversary Friend Collector First Comment
    edited November 2020
    This is how I FINALLY was able to browse the network behind the USG. I don't get why noone in Zyxel mentions this when creating all the tutorials. (Or maybe what I have done opens the gates of Internet hell, and I just don't understand the consequenses of my actions...)


    I made sure that in the IPSec_VPN zone, my VPN tunnel was a member.

    Configuration->Security Policy->Policy Control

    I added and enabled a new rule:
    • Name: For instance VPN_TO_DEVICE
    • From: IPSec_VPN
    • To: any (Excluding ZyWALL)
    • Source: any
    • Destination: any
    • Service: any
    • User: any
    • Schedule: none
    • Action: Allow
    • Log matched traffic: no
    Then, after not knowing how many hours I tried to figure this out, our roadworriors are suddenly able to browse our local network...

Security Highlight