Errors in the Most Recent USG FLEX Series User's Guide?

Analyteks

I am trying to set up a client-to-site VPN to connect IOS devices to my USG FLEX 200H security device. I am using a custom setting as defined in Section 12.3.2 of Version 1.3.1 Edition 1 of the User's Guide. The firmware for the router is V1.31 (ABWV.0)

The VPN type is Policy-Based. My Address is the ge1(WAN) interface. The Peer Gateway Address is dynamic. The Authentication is Pre-Shared Key. The Phase 1 Settings are AES256/SHA256/DH19. The Phase 1 VPN seems to complete successfully based on the log entries.

The Phase 2 IKE_AUTH Response fails with message "generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]". My issue with the most recent version of the USG FLEX Series User's Guide is that the Phase 2 Policy Protocol expects an Active Protocol input (ESP in this case) and an Encapsulation input (TUNNEL in this case). I can find no way to provide the inputs in version 1.31 (ABWV.0). I have used a Zyxel client-to-site VPN configured as a Remote Access VPN previously, so I am confident the problem is not with my IOS devices.

Since there is a conflict between the User's Guide and the Firmware, how should I proceed?

Zyxel_Melen

Hi @Analyteks,

Please reference this FAQ to fix this issue:

Why can't I establish a VPN connection after updating to iOS 18? How can I resolve this issue? — Zyxel Community

For the User's Guide, I will ask our team to update the content. Sorry for the inconvenience.

Analyteks

Zyxel Melen,

Thank you for the quick reply. In addition to not being able to choose a TUNNEL in the IKEv2 Phase 2 setup, there is no ability to choose a TUNNEL as the source address for a Policy Route where the Incoming would be a TUNNEL and Source Address would be the IKEv2 Tunnel that is created when the Client-to-Site VPN is configured per Section 12.3.2 of the User's Guide. Did part of the firmware referencing tunnels get deleted when the firmware was updated to ABWV.0?

Zyxel_Melen

Hi @Analyteks,

https://community.zyxel.com/en/discussion/comment/75404#Comment_75404

Before answering this question, may I clarify some information?

The first question is "In addition to not being able to choose a TUNNEL in the IKEv2 Phase 2 setup"? Do you mean this option in ZLD?

The second is "there is no ability to choose a TUNNEL as the source address for a Policy Route where the Incoming would be a TUNNEL and Source Address would be the IKEv2 Tunnel that is created when the Client-to-Site VPN is configured per Section 12.3.2 of the User's Guide."? Do you mean you want to have a configuration that the client-to-site VPN can access other site-to-site VPN's site by policy route?

Analyteks

Zyxel Meren,

Yes. It was part of the IKEv2 VPN setup on my EOL ZYWALL 110 device. With the most recent USG FLEX 200H firmware, I cannot find any reference to a TUNNEL. It is not an INTERFACE option. It is not an option when I try to configure a Policy Route. How does the Policy Route know that the path runs through a TUNNEL where the data and routing information are encapsulated with encryption to a user-specified level?

Thank you for your continued response.

Zyxel_Melen

Hi @Analyteks,

Currently, Policy Route only supports set with route-based VPN tunnels.

May I know if you need any help configuring route-based VPN and the related policy route? You can send me a private message with your scenario and topology.