IPSec VPN Client-To-Site IKE2 50H behind NAT
Freshman Member
Hi all,
it's my first time on new firmware, I'm trying to create a IKE2 IPSec behind nat. I've tryed all config but always error. Please advice.
WAN1 10.20.30.2
LAN1 10.10.10.X
VPN Address Pool : 192.168.50.0/24
on log file you can read all my try. Please let me know.
Thank you very much for your help.
Bye
All Replies
-
Are you using the VPN Configuration Download for the client?
Because your WAN is 10. do not use Interface option for Incoming Interface use Domain Name / IP as 0.0.0.0 and NAT Traversal your WAN IP or Domain Name then disable enable VPN and download the new VPN script.
0 -
Hi @ITS,
Based on the logs, we can confirm that your device is receiving VPN connection attempts and that IKEv2 negotiation has started. However, the log also shows multiple NO_PROP (no proposal chosen) errors and IKE_AUTH requests without successful responses. This suggests a mismatch between the VPN client and the Zyxel device configurations.
First, could you please confirm if your network topology matches the image below?
In this scenario, please refer to the following FAQ to configure your firewall correctly:
USG FLEX H Series - NAT Traversal Support for IPSec Remote Access VPN — Zyxel Community
If these settings do not resolve the issue, please send us your device’s diagnostic information file via private message. This will allow us to better understand your configuration and assist you further. Instructions on how to collect the file can be found in the following article:
How to collect diag-info from web GUI for USG FLEX H series? — Zyxel Community
Zyxel Tina
0 -
Hi Tina, Hi Peter,
yes, the situation is like Tina's image. I've tried to put 0.0.0.0 selecting Domain/IP but nothing changed (I follow Peter's suggestion disabling and enabling VPN)
@Zyxel_Tina I tried to generate device’s diagnostic information file but nothing happens. No file was genarted.
Thanks
0 -
You have set the cert as manual is this a self sign? Or domain name from a SSL provider?
As it is the cert needs to match the NAT traversal address
0 -
Hi Peter, manual certificate,
self signed from firewall.
Tried to set auto, disabled and enabled again, and reinstalled tunnel. Nothing change. Same error.
0 -
When you reinstalled the tunnel if you check the cert it lists the IP as NAT traversal address?
Have you set the upstream router to forward UDP ports 500 and 4500?
0 -
If you see log port are correctly forwared from router
0 -
It should connect…the problem might be caused by your ISP?
Try a local test change NAT traversal address to a LAN IP gateway and on cert auto and download and test VPN script
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 175 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 422 USG FLEX H Series
- 297 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 272 Service & License
- 418 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight
