How to Resolve VPN Connection Issues with Flex H Series and RADIUS Server

Zyxel_Kevin
Zyxel_Kevin Posts: 903  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
in VPN

How can I resolve VPN connection issues with the ZyWALL FLEX 200H and RADIUS server?

A common issue with the ZyWALL FLEX 200H, especially when performing RADIUS authentication via VPN, is the device's inability to communicate with the RADIUS server on the other end of the VPN tunnel. LAN clients can communicate just fine, but the ZyWALL itself struggles to reach the server. Here is a simplified solution:

  1. Ensure that a policy route rule is created to direct traffic from the ZyWALL to the VPN Tunnel Interface (VTI). This can address the routing issue that prevents the ZyWALL from accessing remote subnets.
  2. Pick the appropriate VTI interface. It is recommended to use a conventional subnet such as 192.168.X.X instead of 169.254.X.X since some systems treat the latter as link-local addresses which cannot be routed.
  3. Configure the VTI interface on the ZyWALL and the peer gateway with compatible network addresses, e.g., 192.168.254.253 on ZyWALL and 192.168.254.254 on the peer gateway.
  4. Ensure that the RADIUS server is configured to recognize and trust the IP address of the VTI interface rather than the Firewall's LAN interface.
  5. If using static routes, do not add extra policy routes unnecessarily as this can interrupt existing VPN traffic. Testing without additional rules can help conclude if the static route suffices.
  6. If the VTI interface is successfully configured but unable to route, ensure that the RADIUS server can route the 192.168.X.X subnet and is properly configured to trust these IP addresses.

By following these steps, the ZyWALL FLEX 200H should be capable of accessing the RADIUS server over the VPN similar to ATP devices.

For detailed instructions and visual examples, please refer to the provided configuration screenshots and packet capture files here and here.

If you continue to experience issues, ensure that the necessary firewall policies are in place and contact support if further configuration adjustments are required.

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)