VPN typu site-to-site and remote access (server role) USG20-VPN

Options
Czarmen
Czarmen Posts: 3  Freshman Member
First Comment
edited June 2 in Security

Hello
I have 2 problems:

  1. I have a site-to-site configuration and remote access (server role)
    I have the same USG20 models in the headquarters of companies A and B. After changing the Internet provider and adding a new WAN IP address in the configuration.
    site-to-site establishes a connection, but the devices do not communicate, while the second type of connection remote access (server role) works correctly. Before changing the operator, the two types of connections always worked.
  2. The new connection has a speed of 900Mb/s, and the USG20 transmits a maximum of 400Mb/s

Accepted Solution

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited June 11

    Hi @Czarmen ,

    1/ Regarding the VPN issue, could you please provide the following information:

    • Do you mean there are two USG20-VPN firewalls at companies A and B that have a site-to-site VPN connection?
    • You mentioned that "site-to-site establishes a connection, but the devices do not communicate." Does this refer to the USG20-VPN firewalls themselves or the firewall clients not communicating?
    • What changes did you make to the WAN IP address configuration? Please provide details about the before and after settings, including the IP address type (DHCP, static IP, etc.). This information you can send privately via clicking my account > Message.

    Zyxel_Judy

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    Answer ✓

    2/ Regarding the performance specifications, please refer to the USG20-VPN datasheet

    image.png

    Zyxel_Judy

  • mm_bret
    mm_bret Posts: 67  Ally Member
    First Comment Fifth Anniversary

    For site to site:

    Be sure each USG device points to the other ip address. Typically these addresses are static ip addresses.

    Meaning you pay your ISP for a static ipv4 address.

    In the ipsec gateway configuration where you enter the peer address, make sure they are correct. For

    site to site, company A ipsec gateway should have the ip address of company B, and company B ipsec gateway should have the address of company A

    Be sure all the encryption protocols match on both USG devices, be sure the encryption key is the same on both ends.

    On the ipsec gateway, be sure the DH(Deffie Hellman) settings are the same

    Be sure the ipsec connection local, and remote subnets match the respective routers lan subnet

    configuration

    Be sure the Perfect Forward Secrecy settings match (on or off)

    Good luck

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @Czarmen ,

    Thank you for the detailed information you provided in the private message.
    To summarize this case: after the new internet service provider changed the settings, LAN clients at both locations A and B can now ping each other, and everything is working properly.

    Zyxel_Judy