IPSec VPN Client-To-Site IKE2 50H behind NAT

Options
ITS
ITS Posts: 16  Freshman Member
First Comment Friend Collector Sixth Anniversary

Hi all,

it's my first time on new firmware, I'm trying to create a IKE2 IPSec behind nat. I've tryed all config but always error. Please advice.

WAN1 10.20.30.2

LAN1 10.10.10.X

VPN Address Pool : 192.168.50.0/24

on log file you can read all my try. Please let me know.

Thank you very much for your help.

Bye

All Replies

  • PeterUK
    PeterUK Posts: 3,890  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Are you using the VPN Configuration Download for the client?

    Because your WAN is 10. do not use Interface option for Incoming Interface use Domain Name / IP as 0.0.0.0 and NAT Traversal your WAN IP or Domain Name then disable enable VPN and download the new VPN script.

  • Zyxel_Tina
    Zyxel_Tina Posts: 79  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 5 Answers First Comment

    Hi @ITS,

    Based on the logs, we can confirm that your device is receiving VPN connection attempts and that IKEv2 negotiation has started. However, the log also shows multiple NO_PROP (no proposal chosen) errors and IKE_AUTH requests without successful responses. This suggests a mismatch between the VPN client and the Zyxel device configurations.

    First, could you please confirm if your network topology matches the image below?

    image.png

    In this scenario, please refer to the following FAQ to configure your firewall correctly:

    USG FLEX H Series - NAT Traversal Support for IPSec Remote Access VPN — Zyxel Community

    If these settings do not resolve the issue, please send us your device’s diagnostic information file via private message. This will allow us to better understand your configuration and assist you further. Instructions on how to collect the file can be found in the following article:

    How to collect diag-info from web GUI for USG FLEX H series? — Zyxel Community

    Zyxel Tina

  • ITS
    ITS Posts: 16  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    Hi Tina, Hi Peter,

    yes, the situation is like Tina's image. I've tried to put 0.0.0.0 selecting Domain/IP but nothing changed (I follow Peter's suggestion disabling and enabling VPN)

    image.png Screenshot 2025-06-30 145440.png

    @Zyxel_Tina I tried to generate device’s diagnostic information file but nothing happens. No file was genarted.

    Thanks

  • PeterUK
    PeterUK Posts: 3,890  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You have set the cert as manual is this a self sign? Or domain name from a SSL provider?

    As it is the cert needs to match the NAT traversal address

  • ITS
    ITS Posts: 16  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    Hi Peter, manual certificate,

    self signed from firewall.

    Tried to set auto, disabled and enabled again, and reinstalled tunnel. Nothing change. Same error.

  • PeterUK
    PeterUK Posts: 3,890  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    When you reinstalled the tunnel if you check the cert it lists the IP as NAT traversal address?

    Have you set the upstream router to forward UDP ports 500 and 4500?

  • ITS
    ITS Posts: 16  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    image.png

    If you see log port are correctly forwared from router

    image.png
  • PeterUK
    PeterUK Posts: 3,890  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    It should connect…the problem might be caused by your ISP?

    Try a local test change NAT traversal address to a LAN IP gateway and on cert auto and download and test VPN script