How to configure IPSec Site to Site VPN while one Site is behind a NAT router
Zyxel Employee
SCENARIO DESCRIPTION:
This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router. When the IPSec Site to Site VPN tunnel is configured, each site can be accessed securely.
SETUP/STEP BY STEP PROCEDURE:
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ)
1 In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next.
Figure 1 Quick Setup > VPN Setup Wizard > Welcome
2 Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.
Figure 2 Quick Setup > VPN Setup Wizard > Wizard Type
3 Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.
Figure 3 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
4 Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters).
Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Figure 4 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
5 This screen provides a read-only summary of the VPN tunnel. Click Save.
Figure 5 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)
6 Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Figure 6 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed
7 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Figure 7 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch)
1 In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next.
Figure 8 Quick Setup > VPN Setup Wizard > Welcome
2 Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.
Figure 9 Quick Setup > VPN Setup Wizard > Wizard Type
3 Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.
Figure 10 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
4 Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters).
Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Figure 11 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)
5 This screen provides a read-only summary of the VPN tunnel. Click Save.
Figure 12 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)
6 Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Figure 13 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed
7 Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Figure 14 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type
Set Up the NAT Router (Using ZyWALL USG device in this example)
1 Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received. Specified the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports.
Figure 15 CONFIGURATION > Network > NAT > Add
2 Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:
IP protocol = 50 → Used by data path (ESP)
IP protocol = 51 → Used by data path (AH)
UDP Port Number = 500 → Used by IKE (IPSec control path)
UDP Port Number = 4500 → Used by NAT-T (IPsec NAT traversal)
Figure 16 CONFIGURATION > Security Policy > Policy Control
VERIFICATION:
Test the IPSec VPN Tunnel
1 Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Figure 17 CONFIGURATION > VPN > IPSec VPN > VPN Connection
2 Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.
Figure 18 MONITOR > VPN Monitor > IPSec
3 To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices).
Figure 19 PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33
Figure 20 PC behind ZyWALL/USG (Branch) > Window 7 > cmd > ping 10.10.10.33
What Could Go Wrong?
1 If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Figure 21 MONITOR > Log
2 If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Figure 22 MONITOR > Log
3 Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
4 Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 95 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 385 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 72 Security Highlight