IKEv2 VPN - successful connection, can't reach devices on target/remote LAN

CoreSG
CoreSG Posts: 40  Freshman Member
First Comment Friend Collector Fifth Anniversary
edited April 2021 in Security
Following up from https://businessforum.zyxel.com/discussion/2068/ikev2

I have successfully configured an IKEv2 VPN, and can make a successful connection to the Zyxel USG device with an iPhone and mac OS.

However, I can't reach any devices inside the remote network (trying the Zyxel on it's LAN IP, and a printer with an available web interface in/on/via the LAN).

Note: I did have a prior, IKE(v1) VPN configuration (now disabled) with which I could connect and access LAN devices.
I've checked and the existing firewall rules (that permit such traffic) include the newly setup & working (at least to connect) IKEv2 VPN setup.

I also found and followed this Zyxel article, but the issue remains (unresolved).
https://mysupport.zyxel.com/hc/en-us/articles/360005744000--ZyWALL-USG-How-to-set-up-a-Client-to-Site-VPN-Configuration-Payload-DHCP-connection-using-IKEv2

Accepted Solution

  • CoreSG
    CoreSG Posts: 40  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    Answer ✓
    This was solved by Zyxel_Emily - thank you so very much !!

    The fix is:

    "The IP address pool for IKEv2 cannot conflict with WAN/LAN/DMZ subnet even if they are not in use.
    Please check the pool of IKEv2 again."
    With a screenshot suggesting a configured IKEv2-Pool address object, with IPs from 100.100.100.1 - 100.100.100.10

    Which I used exactly, and updated the existing IKEv2 connection settings to use that address pool and it works, I can reach devices on the remote LAN.

    Configuration > Object > Address/Geo IP > (Add) > Name: IKEv2-Pool, Address Type: Range, Start IP 100.100.100.1 , End IP 100.100.100.10

    Configuration > IPSec VPN >
    Select (here, my name used) IKEv2 Connection > Edit > Configuration Payload > Click at the top on "Show Advanced Settings" >
    Configuration Payload: click on/activate Enable Configuration Payload >
    IP address pool: IKEv2-Pool
    (Also supply DNS if/as desired below that).





All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    We need to check the configuration file of your device.
    Could you share the startup-config.conf with me in private message?
    I will contact you in private message for the configuration file.

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • CoreSG
    CoreSG Posts: 40  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    Answer ✓
    This was solved by Zyxel_Emily - thank you so very much !!

    The fix is:

    "The IP address pool for IKEv2 cannot conflict with WAN/LAN/DMZ subnet even if they are not in use.
    Please check the pool of IKEv2 again."
    With a screenshot suggesting a configured IKEv2-Pool address object, with IPs from 100.100.100.1 - 100.100.100.10

    Which I used exactly, and updated the existing IKEv2 connection settings to use that address pool and it works, I can reach devices on the remote LAN.

    Configuration > Object > Address/Geo IP > (Add) > Name: IKEv2-Pool, Address Type: Range, Start IP 100.100.100.1 , End IP 100.100.100.10

    Configuration > IPSec VPN >
    Select (here, my name used) IKEv2 Connection > Edit > Configuration Payload > Click at the top on "Show Advanced Settings" >
    Configuration Payload: click on/activate Enable Configuration Payload >
    IP address pool: IKEv2-Pool
    (Also supply DNS if/as desired below that).





Security Highlight