How to Configure IPSec VPN with ZyWALL IPSec VPN Client

Zyxel_Charlie
Zyxel_Charlie Posts: 1,034  Zyxel Employee
50 Answers 500 Comments Friend Collector Fourth Anniversary
edited June 2022 in VPN
This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a ZyWALL IPSec VPN Client. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.


SETUP/STEP BY STEP PROCEDURE:
Set Up the ZyWALL/USG IPSec VPN Tunnel

1     In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that can be used with the ZyWALL IPSec VPN Client. Click Next.

 

Quick Setup > VPN Setup Wizard > Welcome 


2     Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.

Quick Setup > VPN Setup Wizard > Wizard Type


3     Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-1

4    Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-2


5     This screen provides a read-only summary of the VPN tunnel. Click Save.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-3


6     Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed


7     Go to CONFIGURATION > Object > User/Group > Add A User and create a user account for the ZyWALL IPSec VPN Client user.

CONFIGURATION > Object > User/Group > Add A User

 

8     Go to CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning. In the General Settings section, select the Enable Configuration Provisioning. Then, go to the Configuration section and click Add to bind a configured VPN Connection to Allowed User. Click Activate and Apply to save the configuration.

CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning 


Set Up the ZyWALL IPSec VPN Client

1     Download ZyWALL IPSec VPN Client software from ZyXEL Download Library: http://www.zyxel.com/support/download_landing.shtml

2     Open ZyWALL IPSec VPN Client, select CONFIGURATION > Get from Server.

 

CONFIGURATION > Get from Server


3     Enter the WAN IP address or URL for the ZyWALL/USG in the Gateway Address. If you changed the default HTTPS Port on the ZyWALL/USG, and then enter the new one here. Enter the Login user name and Password exactly as configured on the ZyWALL or external authentication server. Click Next, you will see it’s processing VPN configuration from the server.

CONFIGURATION > Get from Server > Step 1: Authentication


CONFIGURATION > Get from Server > Step 2: Processing

4     Then, you will see the Configuration successful page, click OK to exit the wizard.

CONFIGURATION > Get from Server > Configuration successful


5     Then, you will see the Configuration successful page, click OK to exit the wizard.

 

 

CONFIGURATION > Get from Server > Configuration successful


VERIFICATION:

Test the IPSec VPN Tunnel

1     Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.

CONFIGURATION > VPN > IPSec VPN > VPN Connection


2     Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.

MONITOR > VPN Monitor > IPSec


3     To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices).

PC with ZyWALL IPSec VPN Client installed > Window 7 > cmd > ping 192.168.1.33


PC behind ZyWALL/USG > Window 7 > cmd > ping 172.101.30.73


What Can Go Wrong?

1        If you see [info] log message such as below, please make sure both ZyWALL/USG and ZyWALL IPSec VPN Client use the same Pre-Shared Key to establish the IKE SA.

MONITOR > Log


2        If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. ZyWALL/USG and ZyWALL IPSec VPN Client must use the same Encryption, Authentication method, DH key group and ID Type/Content to establish the IKE SA.

MONITOR > Log


3        If you see that Phase 1 IKE SA process done but still get [alert] or [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG and ZyWALL IPSec VPN Client must use the same Active Protocol, Encapsulation, Proposal, PFS and set correct Local Policy to establish the IKE SA.

MONITOR > Log


4        If you see [alert] log message as below, please make sure you create a user account for the ZyWALL IPSec VPN Client user on ZyWALL/USG or the external authentication server. Or please check your password matches the settings in the user account.

MONITOR > Log


5   Make sure the service HTTPS Port on IPSec VPN Client application is available.

 

6    Make sure the To-ZyWALL security policies allow IPSec VPN traffic to the ZyWALL/USG. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.

 

7    The ZyWALL/USG supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-ZyWALL security policies allow UDP port 4500 too.