VPN on USG20-VPN - connected, but not passing traffic
I followed the directions in the KB above, and am able to open my VPN connection and connect to the USG20-VPN. I'm unable to ping the VPN gateway, or any clients behind the USG20-VPN from my remote client. From my client behind the USG20-VPN, I am able to ping the gateway, but not my remote VPN client (yes, I've verified ping is enabled on both clients). If I look under the VPN Monitor, I can see that inbound traffic is being passed into the Zyxel, but outbound traffic is still sitting at 0 bytes. So for some reason, outbound traffic on the VPN tunnel is not sending for some reason.
I'm stumped as to what is causing this issue - can anyone help provide some insight into this issue? Thanks!
All Replies
-
Hi @ZyxelNewb
The IPSec VPN Client will create a routing table automatically after VPN tunnel is established.
So it means, in local policy setting must be the IP subnet which is belonging to your USG. (e.g. LAN1 subnet)
If you entered a subnet which not belonging USG, then traffic will not pass through to VPN tunnel.
You can make sure if VPN local policy setting is correct, and also check policy control setting avoids traffic been dropped.
1 -
I am having the same issue.
I do not understand what you are saying though. Where do I check to make sure that the Subnet is allowed to pass traffic? What policy control settings specifically should be checked?
Also on my windows 10 device, if I do a 'route print' I do not see a route setup to send any of my traffic over the VPN connection0 -
I'm in the same position, I haven't been able to get this issue figured out yet either. The subnet I entered is the LAN subnet being used by the USG device, but I'm not getting any routing to my internal LAN subnet from the VPN client.
0 -
Hi @ZyxelNewb,
Enable Mode config for IPSec VPN client connection
Go to CONFIGURATION > VPN > IPSec VPN > VPN connection.
Then you don't have to manually configure VPN client address on the ZyWALL IPSec VPN client.
Attached are the guide and configuration file for your reference.
In the configuration file, just modify the WAN IP address.
The pre-shared key is 1234512345 and the password for the user "vpntest" is 123456.
You can modify the value by yourself.
On the ZyWALL IPSec VPN client, follow the steps in the guide to download VPN configuration from the server.
Test Result:
VPN client can ping LAN gateway 192.168.1.1 successfully.
Ping 8.8.8.8 successfully.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
Disregard0
-
I've configured the VPN per the documentation you've attached, but I can't get my user to log in. It keeps showing "Authentication Failed: Wrong login/password". I'm 100% sure the username and password are correct though. In the system logs, I see a log entry for my vpn user logged into the device from my client IP address, then immediately follows with a second entry that my vpn user has logged out from the device. Thoughts on what my issue is at this point? I've attached a slightly scrubbed version of my config as well, thanks for your help.0
-
I should also note, that I've uploaded your config file (the only thing I've changed was the LAN 1 address/subnet, because the 192.168.1.0/24 was already being used on the WAN side), and am able to connect to the USG20 now via IPSec VPN with my test client (I still don't see what's different in your config, vs what I had setup with the QuickVPN wizard though). However - the VPN still won't pass traffic. I can't get to anything on the LAN 1 interface from my VPN client, nor can I get to any internet resources via the VPN client. I am getting an IP address on the VPN client subnet of 192.168.99.x, which seems to be right.0
-
Disregard, I forgot to update the address in the WIZ_VPN_PROVISIONING_LOCAL group to the 192.168.10.0/24 subnet I changed it to.
I'm still not sure of what the difference is between your working config that you posted, and my config. Even if I start from a factory reset, run through the VPN wizard per your documentation, I still get the error about the invalid username/password?0 -
Hi @ZyxelNewb,Although you add a rule in Configuration Provisioning, the rule is not activated.VPN rule settings can only be retrieved when the entry is "activated" (and Enable Configuration Provisioning is also selected).Besides, you need to create a user for VPN provisioning because admin account cannot be used for provisioning even if “any” is configured as Allowed User.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
This is how I FINALLY was able to browse the network behind the USG. I don't get why noone in Zyxel mentions this when creating all the tutorials. (Or maybe what I have done opens the gates of Internet hell, and I just don't understand the consequenses of my actions...)
Configuration->Object->Zone
I made sure that in the IPSec_VPN zone, my VPN tunnel was a member.Configuration->Security Policy->Policy Control
I added and enabled a new rule:- Name: For instance VPN_TO_DEVICE
- From: IPSec_VPN
- To: any (Excluding ZyWALL)
- Source: any
- Destination: any
- Service: any
- User: any
- Schedule: none
- Action: Allow
- Log matched traffic: no
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight