How to configure IPSec Site to Site VPN while one Site is behind a NAT router

Zyxel_Charlie
Zyxel_Charlie Posts: 1,034  Zyxel Employee
First Anniversary Friend Collector First Answer First Comment
edited September 2022 in VPN

SCENARIO DESCRIPTION:

This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router. When the IPSec Site to Site VPN tunnel is configured, each site can be accessed securely.



SETUP/STEP BY STEP PROCEDURE:

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ)

1     In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next.

Figure 1   Quick Setup > VPN Setup Wizard > Welcome


2     Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.

Figure 2   Quick Setup > VPN Setup Wizard > Wizard Type

3     Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.

Figure 3   Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)


4     Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters).

Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).

Figure 4   Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)


5     This screen provides a read-only summary of the VPN tunnel. Click Save.

Figure 5   Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)


6     Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.

Figure 6  Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed


7     Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.

Figure 7  CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch)

 

1     In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next.

Figure 8   Quick Setup > VPN Setup Wizard > Welcome


2     Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.

Figure 9   Quick Setup > VPN Setup Wizard > Wizard Type


3     Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.

Figure 10   Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)


4     Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters).

Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).

Figure 11   Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)


5     This screen provides a read-only summary of the VPN tunnel. Click Save.

Figure 12   Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)


6     Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.

Figure 13  Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed


7     Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.

Figure 14  CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type


Set Up the NAT Router (Using ZyWALL USG device in this example)         

1     Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received. Specified the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports.

Figure 15  CONFIGURATION > Network > NAT > Add


2     Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:

IP protocol = 50 → Used by data path (ESP)

IP protocol = 51 → Used by data path (AH)

UDP Port Number = 500 → Used by IKE (IPSec control path)

UDP Port Number = 4500 → Used by NAT-T (IPsec NAT traversal)

Figure 16  CONFIGURATION > Security Policy > Policy Control


VERIFICATION:

Test the IPSec VPN Tunnel

1     Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.

Figure 17  CONFIGURATION > VPN > IPSec VPN > VPN Connection


2     Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.

Figure 18  MONITOR > VPN Monitor > IPSec


3     To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices).

Figure 19  PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33


Figure 20  PC behind ZyWALL/USG (Branch) > Window 7 > cmd > ping 10.10.10.33


What Could Go Wrong?

1      If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.

Figure 21  MONITOR > Log


2      If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.

Figure 22  MONITOR > Log


3      Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.

4      Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.

 

Tagged: