VPN typu site-to-site and remote access (server role) USG20-VPN
Hello
I have 2 problems:
- I have a site-to-site configuration and remote access (server role)
I have the same USG20 models in the headquarters of companies A and B. After changing the Internet provider and adding a new WAN IP address in the configuration.
site-to-site establishes a connection, but the devices do not communicate, while the second type of connection remote access (server role) works correctly. Before changing the operator, the two types of connections always worked. - The new connection has a speed of 900Mb/s, and the USG20 transmits a maximum of 400Mb/s
Accepted Solution
All Replies
-
Hi @Czarmen ,
1/ Regarding the VPN issue, could you please provide the following information:
- Do you mean there are two USG20-VPN firewalls at companies A and B that have a site-to-site VPN connection?
- You mentioned that "site-to-site establishes a connection, but the devices do not communicate." Does this refer to the USG20-VPN firewalls themselves or the firewall clients not communicating?
- What changes did you make to the WAN IP address configuration? Please provide details about the before and after settings, including the IP address type (DHCP, static IP, etc.). This information you can send privately via clicking my account > Message.
Zyxel_Judy
0 -
-
For site to site:
Be sure each USG device points to the other ip address. Typically these addresses are static ip addresses.
Meaning you pay your ISP for a static ipv4 address.
In the ipsec gateway configuration where you enter the peer address, make sure they are correct. For
site to site, company A ipsec gateway should have the ip address of company B, and company B ipsec gateway should have the address of company A
Be sure all the encryption protocols match on both USG devices, be sure the encryption key is the same on both ends.
On the ipsec gateway, be sure the DH(Deffie Hellman) settings are the same
Be sure the ipsec connection local, and remote subnets match the respective routers lan subnet
configuration
Be sure the Perfect Forward Secrecy settings match (on or off)
Good luck
0 -
Hi @Czarmen ,
Thank you for the detailed information you provided in the private message.
To summarize this case: after the new internet service provider changed the settings, LAN clients at both locations A and B can now ping each other, and everything is working properly.Zyxel_Judy
0
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 176 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 425 USG FLEX H Series
- 298 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 274 Service & License
- 419 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight